Re: Wheezy update of twisted?

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Free Ekanayaka <freee@debian.org>, Thorsten Alteholz <debian@alteholz.de>, Matthias Klose <doko@debian.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of twisted?
From: Brian May <bam@debian.org>
Date: Tue, 09 Aug 2016 18:24:40 +1000
Message-id: <[🔎] 874m6u9won.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 20160808084723.GB17814@lorien.valinor.li>
References: <alpine.DEB.2.02.1607282237080.16763@jupiter.server.alteholz.net> <CABJ6WijygD9iJHa3vGDisi9BXPZku=u+ZSLS0dU9_ir_X3g1+g@mail.gmail.com> <[🔎] 8760rfbozm.fsf@prune.linuxpenguins.xyz> <[🔎] CABJ6WihYJoWVjmaMaU1oo98YA58iiexAUQUPDrE7oLqvLmB-6A@mail.gmail.com> <[🔎] 87a8gnack5.fsf@prune.linuxpenguins.xyz> <[🔎] 20160808084723.GB17814@lorien.valinor.li>

Salvatore Bonaccorso <carnil@debian.org> writes:

> Hi,
>
> Just a quick comment on:
>
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted have this vulnerability.
>
> Looking at the upstream ticket
> https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> 16.3.1 will have something to help mitigating the issue in application
> that use twisted.

I believe this is the upstream patch:

https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165

Looks like it removes CGI support.

Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
results would be the same however.

> For Jessie, we do not plan to release any DSA related to this for
> src:twisted. Don't know if you want to follow that on LTS side.

Yes, I tend to agree. Don't much like the idea of removing a feature in
what is suppose to be a stable distribution.

Then again, scratch that, looks like none of the files patched exist in
the wheezy version anyway...

But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
and twisted/web/twcgi.py is in the upstream git repository for the
twisted-12.0.0 tag.

Oh, I see, it looks like the source was split up for the Debian
packaging. So the twisted-web source contains the file in question, not
the twisted package.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Wheezy update of twisted?
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Wheezy update of twisted?
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Re: Wheezy update of twisted?
  - From: Brian May <bam@debian.org>
- Re: Wheezy update of twisted?
  - From: Free Ekanayaka <freee@debian.org>
- Re: Wheezy update of twisted?
  - From: Brian May <bam@debian.org>
- Re: Wheezy update of twisted?
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Wheezy update of openssh?
Next by Date: Re: Wheezy update of python-django?
Previous by thread: Re: Wheezy update of twisted?
Next by thread: Re: Wheezy update of twisted?
Index(es):
- Date
- Thread