Debian alert DLA-3970-1 (twisted)
| From: | Sylvain Beucler <beuc@beuc.net> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3970-1] twisted security update | |
| Date: | Thu, 28 Nov 2024 16:34:53 +0100 | |
| Message-ID: | <Z0iNnREzmOD1pNU0@mail.beuc.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3970-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler November 28, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : twisted Version : 20.3.0-7+deb11u2 CVE ID : CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810 Debian Bug : 1023359 1054913 1077679 1077680 Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting. CVE-2022-39348 When the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. CVE-2023-46137 When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. CVE-2024-41671 The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. CVE-2024-41810 The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. For Debian 11 bullseye, these problems have been fixed in version 20.3.0-7+deb11u2. We recommend that you upgrade your twisted packages. For the detailed security status of twisted please refer to its security tracker page at: https://security-tracker.debian.org/tracker/twisted Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmdIXJsACgkQDTl9HeUl XjC0Zw/+MXwCXxuRSrLIlK6viqAv9M/+HM4begErDiqAyyfw5iOoVewnUXAeD/bq bmXDYLwp3YDhksn9wWojIHvmU5eybhykAf2ZXGfOEzS3UAqn7Z7LS6QRNRFaXCoD bR8f4IkvZhDjOfsLy5QI4qOIoULN1Y2w4l7hunKdctNKAtmiOi412YpYPmpeU8Gi nCkKAkfyphAlgiOI+aouRtBLsH/PW1Z70dE63QpcPUYhhJc0cnQyezJXsXtQUwVS wztRVDoeVHrXxJtiK4pma9Iyr+13zN7OzfOLOfVlLF0ZOoGQlInJFWZze1IG2kWY zuObO9qHGpgfkQtKUIp7qncbgbfjRjxisml+BtqRNZr7BK6ACTIk7tRDbBEqpcyr EaPflmqeyjPOZGRtj1cvfxFfA3WmmC48wvZ+ay5RhDALqrDv20hzQqjlSTm4HAfF 4nrucX8MpH7MstBhLqA8j777G6g63gyEQzLZXoyrAeRnp6ts/FHt8HNE4jltnXAh Gn7OA9DeQpWFBbadZTnW2lueFRhD4m+tiONXHmzVh4wOCCCanY6bWV8o9qyHiQtP aMgmVHk3Tx3UnfozJlv+Eo+fFFT/maPfzX0JEnArLjPfI9EcBt96e+/kPoEZbBDi D4FbeVsYOH5n4ambRFjE+uYt6oeTrvGI0LPP/yNHZQiL781peKY= =2RPB -----END PGP SIGNATURE-----