[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3970-1] twisted security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3970-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 28, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : twisted
Version        : 20.3.0-7+deb11u2
CVE ID         : CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810
Debian Bug     : 1023359 1054913 1077679 1077680

Multiple security issues were found in Twisted, an event-based framework
for internet applications, which could result in incorrect ordering of
HTTP requests or cross-site scripting.

CVE-2022-39348

    When the host header does not match a configured host
    `twisted.web.vhost.NameVirtualHost` will return a `NoResource`
    resource which renders the Host header unescaped into the 404
    response allowing HTML and script injection. In practice this
    should be very difficult to exploit as being able to modify the
    Host header of a normal HTTP request implies that one is already
    in a privileged position.

CVE-2023-46137

    When sending multiple HTTP requests in one TCP packet, twisted.web
    will process the requests asynchronously without guaranteeing the
    response order. If one of the endpoints is controlled by an
    attacker, the attacker can delay the response on purpose to
    manipulate the response of the second request when a victim
    launched two requests using HTTP pipeline.

CVE-2024-41671

    The HTTP 1.0 and 1.1 server provided by twisted.web could process
    pipelined HTTP requests out-of-order, possibly resulting in
    information disclosure.

CVE-2024-41810

    The `twisted.web.util.redirectTo` function contains an HTML
    injection vulnerability. If application code allows an attacker to
    control the redirect URL this vulnerability may result in
    Reflected Cross-Site Scripting (XSS) in the redirect response HTML
    body.

For Debian 11 bullseye, these problems have been fixed in version
20.3.0-7+deb11u2.

We recommend that you upgrade your twisted packages.

For the detailed security status of twisted please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twisted

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmdIXJsACgkQDTl9HeUl
XjC0Zw/+MXwCXxuRSrLIlK6viqAv9M/+HM4begErDiqAyyfw5iOoVewnUXAeD/bq
bmXDYLwp3YDhksn9wWojIHvmU5eybhykAf2ZXGfOEzS3UAqn7Z7LS6QRNRFaXCoD
bR8f4IkvZhDjOfsLy5QI4qOIoULN1Y2w4l7hunKdctNKAtmiOi412YpYPmpeU8Gi
nCkKAkfyphAlgiOI+aouRtBLsH/PW1Z70dE63QpcPUYhhJc0cnQyezJXsXtQUwVS
wztRVDoeVHrXxJtiK4pma9Iyr+13zN7OzfOLOfVlLF0ZOoGQlInJFWZze1IG2kWY
zuObO9qHGpgfkQtKUIp7qncbgbfjRjxisml+BtqRNZr7BK6ACTIk7tRDbBEqpcyr
EaPflmqeyjPOZGRtj1cvfxFfA3WmmC48wvZ+ay5RhDALqrDv20hzQqjlSTm4HAfF
4nrucX8MpH7MstBhLqA8j777G6g63gyEQzLZXoyrAeRnp6ts/FHt8HNE4jltnXAh
Gn7OA9DeQpWFBbadZTnW2lueFRhD4m+tiONXHmzVh4wOCCCanY6bWV8o9qyHiQtP
aMgmVHk3Tx3UnfozJlv+Eo+fFFT/maPfzX0JEnArLjPfI9EcBt96e+/kPoEZbBDi
D4FbeVsYOH5n4ambRFjE+uYt6oeTrvGI0LPP/yNHZQiL781peKY=
=2RPB
-----END PGP SIGNATURE-----


Reply to: