Re: Wheezy update of twisted?
This security vulnerability is described here:
https://bugzilla.redhat.com/show_bug.cgi?id=1357345
as:
"sets environmental variable based on user supplied Proxy request
header"
In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.
Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.
Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.
This appears to be confirmed by the first sentence in the redhat bug
report:
"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."
There are a number of projects in Debian that use twisted, should we
check each one?
Sure would be good if I had an example application that was confirmed
vulnerable.
--
Brian May <bam@debian.org>
Reply to: