Re: [SECURITY] [DLA 2991-1] twisted security update
Hi Stefano.
congratulations on the first DLA! Good job!
Just a small advice. It would be good to add one line into the DLA
with a short description of the package. Something like this:
"Several issues were discovered in Twisted, an event-based framework
for internet applications..." .
You will find much more examples on the debian-lts-announce mailing list [1].
It can people help to understand what the package is for, whether do
they need to make an update.
[1] https://lists.debian.org/debian-lts-announce/
Best regards
Anton
Am Di., 3. Mai 2022 um 14:22 Uhr schrieb Stefano Rivera <stefanor@debian.org>:
>
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-2991-1 debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Stefano Rivera
> May 03, 2022 https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
>
> Package : twisted
> Version : 16.6.0-2+deb9u3
> CVE ID : CVE-2022-24801
> Debian Bug : 1009030
>
> The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed
> several HTTP request constructs more leniently than permitted by RFC 7230. This
> non-conformant parsing can lead to desync if requests pass through multiple
> HTTP parsers, potentially resulting in HTTP request smuggling.
>
> For Debian 9 stretch, this problem has been fixed in version
> 16.6.0-2+deb9u3.
>
> We recommend that you upgrade your twisted packages.
>
> For the detailed security status of twisted please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/twisted
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
Reply to: