-
twisted (18.9.0-11ubuntu0.20.04.3) focal-security; urgency=medium
* SECURITY UPDATE: script injection via unescaped 404 response
- debian/patches/CVE-2022-39348.patch: fix NameVirtualHost HTML
injection vulnerability.
- CVE-2022-39348
* SECURITY UPDATE: Disordered HTTP pipeline response in twisted.web
- debian/patches/CVE-2023-46137-*.patch: handle requests in raw mode.
- CVE-2023-46137
-- Marc Deslauriers <email address hidden> Mon, 04 Dec 2023 09:02:22 -0500
-
twisted (18.9.0-11ubuntu0.20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie
and authorization headers when following cross origin redirects
- debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
removed when forming requests, in src/twisted/web/client.py,
src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
- CVE-2022-21712
* SECURITY UPDATE: Parsing of SSH version identifier field during an SSH
handshake can result in a denial of service when excessively large packets
are received
- debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
handshake buffer is checked, prior to processing version string in
src/twisted/conch/ssh/transport.py and
src/twisted/conch/test/test_transport.py
- CVE-2022-21716
-- Ray Veldkamp <email address hidden> Mon, 21 Mar 2022 21:13:42 +1100
-
twisted (18.9.0-11ubuntu0.20.04.1) focal; urgency=medium
* Fix NoneType encode error when multipart body does not include
content-disposition headers (LP: #1915819)
- d/p/lp1915819-Fix-nonetype-encode-error.patch
-- Victor Manuel Tapia King <email address hidden> Wed, 17 Feb 2021 14:46:53 +0100
-
twisted (18.9.0-11) unstable; urgency=medium
* Drop python2 support; Closes: #938731
-- Sandro Tosi <email address hidden> Wed, 01 Apr 2020 20:34:17 -0400
-
twisted (18.9.0-8) unstable; urgency=high
* A no-change upload to set urgency to high since the upload
fixes security issues.
-- Andrej Shadura <email address hidden> Mon, 23 Mar 2020 21:14:09 +0100
-
twisted (18.9.0-6ubuntu1) focal; urgency=medium
* SECURITY UPDATE: incorrect URI and HTTP method validation
- debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
src/twisted/web/_newclient.py, src/twisted/web/client.py,
src/twisted/web/test/injectionhelpers.py,
src/twisted/web/test/test_agent.py,
src/twisted/web/test/test_webclient.py.
- CVE-2019-12387
* SECURITY UPDATE: incorrect cert validation in XMPP support
- debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
certificate checking.
- CVE-2019-12855
* SECURITY UPDATE: HTTP/2 denial of service issues
- debian/patches/CVE-2019-951x.patch: buffer outbound control frames
and timeout invalid clients in src/twisted/web/_http2.py,
src/twisted/web/error.py, src/twisted/web/http.py,
src/twisted/web/test/test_http.py,
src/twisted/web/test/test_http2.py.
- CVE-2019-9511
- CVE-2019-9514
- CVE-2019-9515
* SECURITY UPDATE: request smuggling attacks
- debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
duplication in src/twisted/web/test/test_http.py.
- debian/patches/CVE-2020-1010x.patch: fix several request smuggling
attacks in src/twisted/web/http.py,
src/twisted/web/test/test_http.py.
- CVE-2020-10108
- CVE-2020-10109
-- Marc Deslauriers <email address hidden> Thu, 12 Mar 2020 09:35:26 -0400
-
twisted (18.9.0-6build1) focal; urgency=medium
* No-change rebuild to drop python3.7.
-- Matthias Klose <email address hidden> Tue, 18 Feb 2020 10:47:23 +0100
-
twisted (18.9.0-6) unstable; urgency=medium
* Use python2 in the Python2 autopkg test.
* python-twisted-*-dbg: Depend on python2-dbg instead of python-dbg.
-- Matthias Klose <email address hidden> Thu, 09 Jan 2020 21:25:22 +0100
-
twisted (18.9.0-5) unstable; urgency=medium
[ Ondřej Nový ]
* Use debhelper-compat instead of debian/compat
* Add python{,3}-hamcrest to B-D (Closes: #943582).
* Add python{,3}-hamcrest to B-D and D (Closes: #943582).
-- Balint Reczey <email address hidden> Thu, 07 Nov 2019 17:05:21 +0100
-
twisted (18.9.0-4) unstable; urgency=medium
[ Matthias Klose ]
* Fix installation of python3.8 extensions.
* Bump standards version.
* Build-depend on python2-doc instead of python-doc.
* Use python2 as shebang for the Python2 packages.
[ Julian Andres Klode ]
* Add missing Depends for python{,3}-idna to python{,3}-twisted-core, as
they are needed for TLS support. Closes: #935965.
-- Matthias Klose <email address hidden> Sat, 19 Oct 2019 13:24:26 +0200
-
twisted (18.9.0-3ubuntu3) focal; urgency=medium
* Fix installation of python3.8 extensions.
-- Matthias Klose <email address hidden> Sat, 19 Oct 2019 13:24:26 +0200
-
twisted (18.9.0-3ubuntu2) focal; urgency=medium
* No-change rebuild to build with python3.8.
-- Matthias Klose <email address hidden> Fri, 18 Oct 2019 18:28:21 +0000
-
twisted (18.9.0-3ubuntu1) eoan; urgency=medium
* Add missing Depends for python{,3}-idna to python{,3}-twisted-core, as
they are needed for TLS support
-- Julian Andres Klode <email address hidden> Wed, 28 Aug 2019 15:00:59 +0200
