Re: Wheezy update of twisted?
Salvatore Bonaccorso <email@example.com> writes:
> Just a quick comment on:
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted have this vulnerability.
> Looking at the upstream ticket
> https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> 16.3.1 will have something to help mitigating the issue in application
> that use twisted.
I believe this is the upstream patch:
Looks like it removes CGI support.
Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
results would be the same however.
> For Jessie, we do not plan to release any DSA related to this for
> src:twisted. Don't know if you want to follow that on LTS side.
Yes, I tend to agree. Don't much like the idea of removing a feature in
what is suppose to be a stable distribution.
Then again, scratch that, looks like none of the files patched exist in
the wheezy version anyway...
But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
and twisted/web/twcgi.py is in the upstream git repository for the
Oh, I see, it looks like the source was split up for the Debian
packaging. So the twisted-web source contains the file in question, not
the twisted package.
Brian May <firstname.lastname@example.org>