[ubuntu/focal-proposed] twisted 18.9.0-6ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Mon Mar 16 16:48:15 UTC 2020 

twisted (18.9.0-6ubuntu1) focal; urgency=medium

  * SECURITY UPDATE: incorrect URI and HTTP method validation
    - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
      src/twisted/web/_newclient.py, src/twisted/web/client.py,
      src/twisted/web/test/injectionhelpers.py,
      src/twisted/web/test/test_agent.py,
      src/twisted/web/test/test_webclient.py.
    - CVE-2019-12387
  * SECURITY UPDATE: incorrect cert validation in XMPP support
    - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
      certificate checking.
    - CVE-2019-12855
  * SECURITY UPDATE: HTTP/2 denial of service issues
    - debian/patches/CVE-2019-951x.patch: buffer outbound control frames
      and timeout invalid clients in src/twisted/web/_http2.py,
      src/twisted/web/error.py, src/twisted/web/http.py,
      src/twisted/web/test/test_http.py,
      src/twisted/web/test/test_http2.py.
    - CVE-2019-9511
    - CVE-2019-9514
    - CVE-2019-9515
  * SECURITY UPDATE: request smuggling attacks
    - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
      duplication in src/twisted/web/test/test_http.py.
    - debian/patches/CVE-2020-1010x.patch: fix several request smuggling
      attacks in src/twisted/web/http.py,
      src/twisted/web/test/test_http.py.
    - CVE-2020-10108
    - CVE-2020-10109

Date: Thu, 12 Mar 2020 09:35:26 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/twisted/18.9.0-6ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Mar 2020 09:35:26 -0400
Source: twisted
Architecture: source
Version: 18.9.0-6ubuntu1
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 twisted (18.9.0-6ubuntu1) focal; urgency=medium
 .
   * SECURITY UPDATE: incorrect URI and HTTP method validation
     - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
       src/twisted/web/_newclient.py, src/twisted/web/client.py,
       src/twisted/web/test/injectionhelpers.py,
       src/twisted/web/test/test_agent.py,
       src/twisted/web/test/test_webclient.py.
     - CVE-2019-12387
   * SECURITY UPDATE: incorrect cert validation in XMPP support
     - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
       certificate checking.
     - CVE-2019-12855
   * SECURITY UPDATE: HTTP/2 denial of service issues
     - debian/patches/CVE-2019-951x.patch: buffer outbound control frames
       and timeout invalid clients in src/twisted/web/_http2.py,
       src/twisted/web/error.py, src/twisted/web/http.py,
       src/twisted/web/test/test_http.py,
       src/twisted/web/test/test_http2.py.
     - CVE-2019-9511
     - CVE-2019-9514
     - CVE-2019-9515
   * SECURITY UPDATE: request smuggling attacks
     - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
       duplication in src/twisted/web/test/test_http.py.
     - debian/patches/CVE-2020-1010x.patch: fix several request smuggling
       attacks in src/twisted/web/http.py,
       src/twisted/web/test/test_http.py.
     - CVE-2020-10108
     - CVE-2020-10109
Checksums-Sha1:
 902738ba73337b55bd49a2c4d1afbebeffa573d7 3701 twisted_18.9.0-6ubuntu1.dsc
 dc981815665ecbe4b67f1aec273d65fdb41a7b95 41656 twisted_18.9.0-6ubuntu1.debian.tar.xz
 efcc0c4755f8718e8d50510d62f096a558765e31 8960 twisted_18.9.0-6ubuntu1_source.buildinfo
Checksums-Sha256:
 7c57f1fc80beffd496f3b7947527ab0c180f01f650031d575ad20a12b49957f4 3701 twisted_18.9.0-6ubuntu1.dsc
 0d3ae6c4aca8a82c1d0bddf7da38a5a007541679b9190f74e766421476cfc45b 41656 twisted_18.9.0-6ubuntu1.debian.tar.xz
 2ba0a7d064da721e4e1d5a6ca8b5272f2beb8783eb7704f382c3186f65f2cbcc 8960 twisted_18.9.0-6ubuntu1_source.buildinfo
Files:
 af58bbe4e186ca6f617aac6200331324 3701 python optional twisted_18.9.0-6ubuntu1.dsc
 302f089682704f1da7d1c2de3c826d71 41656 python optional twisted_18.9.0-6ubuntu1.debian.tar.xz
 2bb158f0ee2928a9a3d312d1da7058eb 8960 python optional twisted_18.9.0-6ubuntu1_source.buildinfo
Original-Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl5vrJAACgkQZWnYVadE
vpOo3Q/+KIPE1LEcLgFCkgX3gqX1tCxtRMdoX7gJ+oZTVqDwmwEwtPQ4nzQOkId6
yP7Se7oc1NMAc/4fb5mmdtR1YOocqVIpd1YkFoWm9hNfOYnuEHdagMVo565LwJxa
MyVsZwGUmq9A0bsq/c42hGGMvYimKjayC0/xEBtynMTJ9jZm/n3P/Es35hbpCW5H
5WRIGGlKwWXsxwXoEQlYV6jodyHMYKL7dW+kK/vWRLboYHO36/C/UhV4TXupc3cs
QXmyFd3jk25lewFq5feArQ/lcdHZSdtdwm8BKvCf7QrdBTqo9eJaNbXcr6yOBn50
mlOaJMCyq7FAf9zromstMazqOiqvUH8t5yePnr0kfwqWkDVn4SkSNXBiBHIRmaoE
JcIPui2CMx1vb5jY5OkyR2uMhy3QwBN0dkigubiGrpVEkWPuC+gxsHoz7J7vDoQ2
yDKiGsMAg1f2WqgC3n+HzBnlHv3arlUJPoVq58dWKnqzYVoIcOoimSUQMOA1LP/+
x16yLsdE/+uH99ExHjm2LdQQykNYF4UItp/OtXW9P/hFHGIiG3a6ySWe/BuyNjE6
vrCxSoxnAhvLcvwrjDZE4J74+XsC8Bicj/qGQF5NM2B1Ix79MLH/oFcngIATpF3U
X1IzBdqTHYpauq/lrNgqKj72y9EFqCT8mzSBe7Mk3Q5vQ6YZFiw=
=RPx7
-----END PGP SIGNATURE-----

More information about the Focal-changes mailing list