Re: Wheezy update of twisted?

To: Free Ekanayaka <freee@debian.org>, Thorsten Alteholz <debian@alteholz.de>
Cc: Matthias Klose <doko@debian.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of twisted?
From: Brian May <bam@debian.org>
Date: Fri, 05 Aug 2016 18:26:37 +1000
Message-id: <[🔎] 8760rfbozm.fsf@prune.linuxpenguins.xyz>
In-reply-to: <CABJ6WijygD9iJHa3vGDisi9BXPZku=u+ZSLS0dU9_ir_X3g1+g@mail.gmail.com>
References: <alpine.DEB.2.02.1607282237080.16763@jupiter.server.alteholz.net> <CABJ6WijygD9iJHa3vGDisi9BXPZku=u+ZSLS0dU9_ir_X3g1+g@mail.gmail.com>

This security vulnerability is described here:

https://bugzilla.redhat.com/show_bug.cgi?id=1357345

as:

"sets environmental variable based on user supplied Proxy request
header"

In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.

Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.

Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.

This appears to be confirmed by the first sentence in the redhat bug
report:

"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."

There are a number of projects in Debian that use twisted, should we
check each one?

Sure would be good if I had an example application that was confirmed
vulnerable.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Wheezy update of twisted?
  - From: Free Ekanayaka <freee@debian.org>

Prev by Date: Re: Wheezy update of python-django?
Next by Date: Re: Wheezy update of twisted?
Previous by thread: raphaelhertzog.com SEO Issues
Next by thread: Re: Wheezy update of twisted?
Index(es):
- Date
- Thread