[ubuntu/eoan-updates] twisted 18.9.0-3ubuntu1.1 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Mar 19 17:58:15 UTC 2020


twisted (18.9.0-3ubuntu1.1) eoan-security; urgency=medium

  * SECURITY UPDATE: incorrect URI and HTTP method validation
    - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
      src/twisted/web/_newclient.py, src/twisted/web/client.py,
      src/twisted/web/test/injectionhelpers.py,
      src/twisted/web/test/test_agent.py,
      src/twisted/web/test/test_webclient.py.
    - CVE-2019-12387
  * SECURITY UPDATE: incorrect cert validation in XMPP support
    - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
      certificate checking.
    - CVE-2019-12855
  * SECURITY UPDATE: HTTP/2 denial of service issues
    - debian/patches/CVE-2019-951x.patch: buffer outbound control frames
      and timeout invalid clients in src/twisted/web/_http2.py,
      src/twisted/web/error.py, src/twisted/web/http.py,
      src/twisted/web/test/test_http.py,
      src/twisted/web/test/test_http2.py.
    - CVE-2019-9512
    - CVE-2019-9514
    - CVE-2019-9515
  * SECURITY UPDATE: request smuggling attacks
    - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
      duplication in src/twisted/web/test/test_http.py.
    - debian/patches/CVE-2020-1010x.patch: fix several request smuggling
      attacks in src/twisted/web/http.py,
      src/twisted/web/test/test_http.py.
    - CVE-2020-10108
    - CVE-2020-10109

Date: 2020-03-16 19:55:15.057918+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/twisted/18.9.0-3ubuntu1.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Eoan-changes mailing list