Accepted twisted 20.3.0-7+deb11u2 (source) into oldstable-security

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted twisted 20.3.0-7+deb11u2 (source) into oldstable-security
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 28 Nov 2024 11:22:21 +0000
Message-id: <[🔎] E1tGcbF-00F2cu-GX@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Nov 2024 20:11:39 +0100
Source: twisted
Architecture: source
Version: 20.3.0-7+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1023359 1054913 1077679 1077680
Changes:
 twisted (20.3.0-7+deb11u2) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2022-39348: When the host header does not match a configured host
     `twisted.web.vhost.NameVirtualHost` will return a `NoResource`
     resource which renders the Host header unescaped into the 404 response
     allowing HTML and script injection. In practice this should be very
     difficult to exploit as being able to modify the Host header of a
     normal HTTP request implies that one is already in a privileged
     position. (Closes: #1023359)
   * CVE-2023-46137: When sending multiple HTTP requests in one TCP packet,
     twisted.web will process the requests asynchronously without
     guaranteeing the response order. If one of the endpoints is controlled
     by an attacker, the attacker can delay the response on purpose to
     manipulate the response of the second request when a victim launched
     two requests using HTTP pipeline. (Closes: #1054913)
   * CVE-2024-41671: The HTTP 1.0 and 1.1 server provided by twisted.web
     could process pipelined HTTP requests out-of-order, possibly resulting
     in information disclosure. (Closes: #1077679)
   * CVE-2024-41810: The `twisted.web.util.redirectTo` function contains an
     HTML injection vulnerability. If application code allows an attacker
     to control the redirect URL this vulnerability may result in Reflected
     Cross-Site Scripting (XSS) in the redirect response HTML
     body. (Closes: #1077680)
   * Test suite: fix TCP "Too many open files" errors.
   * Test suite: fix SSL "key too small" errors.
   * Test suite: fix SSL "wrong version number" errors.
   * Test suite: fix SSL ellipticCurveDiffieHellman test.
   * Test suite: add salsa-ci.yml and configure to bullseye-lts.
   * python3-twisted.lintian-overrides: fix rules.
Checksums-Sha1:
 60a6e646d686895eb1b805d8b32d5ee9353c444b 2542 twisted_20.3.0-7+deb11u2.dsc
 915f782b902aca3ea5547ef333089961101e0871 3127793 twisted_20.3.0.orig.tar.bz2
 3b4ef6a96a3c28fcfbffb1a81d3b28dde923345a 50916 twisted_20.3.0-7+deb11u2.debian.tar.xz
 02106a82eab9b73dd194b5ea846a296b8d73e012 8508 twisted_20.3.0-7+deb11u2_all.buildinfo
Checksums-Sha256:
 675382216a7123e1af413be6c0a9820ce92d7adc31569068552352332147674d 2542 twisted_20.3.0-7+deb11u2.dsc
 d72c55b5d56e176563b91d11952d13b01af8725c623e498db5507b6614fc1e10 3127793 twisted_20.3.0.orig.tar.bz2
 3860fc89186a94fae5209feb86115d3b907d9ff1941fb8ceb089d71fa35ff183 50916 twisted_20.3.0-7+deb11u2.debian.tar.xz
 3fb33579910777579d37149885b199472cb80cb474ea724ef02440a74b99fc5f 8508 twisted_20.3.0-7+deb11u2_all.buildinfo
Files:
 a47af9f5b8237b91e15e6590fba84584 2542 python optional twisted_20.3.0-7+deb11u2.dsc
 fc16d575730db7d0cddd09fc35af3eea 3127793 python optional twisted_20.3.0.orig.tar.bz2
 115ffaca06049dadb70c7993c9cbc64e 50916 python optional twisted_20.3.0-7+deb11u2.debian.tar.xz
 0a8f9cb9d13720209a9900cb92ad5187 8508 python optional twisted_20.3.0-7+deb11u2_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmdISa0ACgkQDTl9HeUl
XjCLoRAAiz8SwYTKuiVnm81no/Y/ckignUxXYjHeBXL+ArB4yL3IDo8CMJwog0xv
FfcW5TQXLh9nbcbrN0C8kvY1/mprlWtrsxajBMTi8rtClpIB+7tSc8GeV9wQL35M
qSY6Lxn+IrGbnUxWMy5/4gA8wwnraYJU8wmhIq1uDPYNotsD/qVwbygadBgW8LRM
lekpSWY/+O1zeGQlhYO/33/LM93lL01NXYai3USs2OTJgnimwKq1x1g0fGhO7ESE
YJBArBygIdEJfhkiiW7TX92W7tKsh1Aj5yl/cstF6tTGCovu8XDpwb2gInV4M8lg
WfgtRfeNS3hyASA+K+iIceiUO7OtMzpIRWG+2ClvA50uJMU2fvMZyoSMxt/T+wki
/K9t/57IgqruDMnNJWPZmKAmgAWrS/Q3C2Tuo1yh/zOctHAB+DaF3W0f7pswjCSD
7nLNzU/XiTXmLZfgWBMcyncoXsr4984XrJ698nHppg22vJiWQckwjFKJuRHp9PXE
w44R+crlWwt+aROLgMHsaq+mespw7YuMEaHIcddzGBrKG6T5uCr2rVmnSQp+48Bz
DK2S3/9/3Eyeiib6Jud89mMxGJ3Zr5bZWOa0lbJHLo/nBDWn+xbD6mxOGaVgGkkx
tfeJMWUd+dvcHTI49qX8zgMXDZkenrzOjlkN8lAuwLZiRBBW9xQ=
=KV+2
-----END PGP SIGNATURE-----

Attachment: pgpdYsW7HF2Wm.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted firefox-esr 128.5.0esr-1~deb11u1 (source) into oldstable-security
Next by Date: Accepted tzdata 2024b-0+deb11u1 (source) into oldstable-security
Previous by thread: Accepted firefox-esr 128.5.0esr-1~deb11u1 (source) into oldstable-security
Next by thread: Accepted tzdata 2024b-0+deb11u1 (source) into oldstable-security
Index(es):
- Date
- Thread