[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 2991-1] twisted security update

Hi Stefano.

congratulations on the first DLA! Good job!

Just a small advice. It would be good to add one line into the DLA
with a short description of the package. Something like this:

"Several issues were discovered in Twisted, an event-based framework
for internet applications..." .
You will find much more examples on the debian-lts-announce mailing list [1].

It can people help to understand what the package is for, whether do
they need to make an update.

[1] https://lists.debian.org/debian-lts-announce/

Best regards


Am Di., 3. Mai 2022 um 14:22 Uhr schrieb Stefano Rivera <stefanor@debian.org>:
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-2991-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                       Stefano Rivera
> May 03, 2022                                  https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
> Package        : twisted
> Version        : 16.6.0-2+deb9u3
> CVE ID         : CVE-2022-24801
> Debian Bug     : 1009030
> The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed
> several HTTP request constructs more leniently than permitted by RFC 7230. This
> non-conformant parsing can lead to desync if requests pass through multiple
> HTTP parsers, potentially resulting in HTTP request smuggling.
> For Debian 9 stretch, this problem has been fixed in version
> 16.6.0-2+deb9u3.
> We recommend that you upgrade your twisted packages.
> For the detailed security status of twisted please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/twisted
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS

Reply to: