[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of twisted?

Salvatore Bonaccorso <carnil@debian.org> writes:

> Hi,
> Just a quick comment on:
> On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
>> I am inclined to say that no version of twisted, by itself, has this
>> vulnerability. However like I said earlier it is possible that
>> applications that use twisted have this vulnerability.
> Looking at the upstream ticket
> https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> 16.3.1 will have something to help mitigating the issue in application
> that use twisted.

I believe this is the upstream patch:


Looks like it removes CGI support.

Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
results would be the same however.

> For Jessie, we do not plan to release any DSA related to this for
> src:twisted. Don't know if you want to follow that on LTS side.

Yes, I tend to agree. Don't much like the idea of removing a feature in
what is suppose to be a stable distribution.

Then again, scratch that, looks like none of the files patched exist in
the wheezy version anyway...

But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
and twisted/web/twcgi.py is in the upstream git repository for the
twisted-12.0.0 tag.

Oh, I see, it looks like the source was split up for the Debian
packaging. So the twisted-web source contains the file in question, not
the twisted package.
Brian May <bam@debian.org>

Reply to: