Re: Wheezy update of twisted?
This security vulnerability is described here:
"sets environmental variable based on user supplied Proxy request
In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.
Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.
Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.
This appears to be confirmed by the first sentence in the redhat bug
"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."
There are a number of projects in Debian that use twisted, should we
check each one?
Sure would be good if I had an example application that was confirmed
Brian May <firstname.lastname@example.org>