Re: Wheezy update of twisted?
On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > Hi,
> >
> > Just a quick comment on:
> >
> > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> >> I am inclined to say that no version of twisted, by itself, has this
> >> vulnerability. However like I said earlier it is possible that
> >> applications that use twisted have this vulnerability.
> >
> > Looking at the upstream ticket
> > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
> > 16.3.1 will have something to help mitigating the issue in application
> > that use twisted.
>
> I believe this is the upstream patch:
>
> https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165
>
> Looks like it removes CGI support.
>
> Hmmm. My test was flawed, I don't think I tested CGI. I imagine the
> results would be the same however.
>
> > For Jessie, we do not plan to release any DSA related to this for
> > src:twisted. Don't know if you want to follow that on LTS side.
>
> Yes, I tend to agree. Don't much like the idea of removing a feature in
> what is suppose to be a stable distribution.
>
> Then again, scratch that, looks like none of the files patched exist in
> the wheezy version anyway...
>
> But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old -
> and twisted/web/twcgi.py is in the upstream git repository for the
> twisted-12.0.0 tag.
>
> Oh, I see, it looks like the source was split up for the Debian
> packaging. So the twisted-web source contains the file in question, not
> the twisted package.
Thanks for having a look! I've added twisted-web to dla-needed.txt as
well (Salvatore already updated data/CVE/list).
Cheers,
-- Guido
Reply to: