Package "python-twisted-news"
  
    
    
        | Name: | python-twisted-news | 
    
        | Description:
 | twisted dummy package for NNTP protocol implementation | 
    
        | Latest version: | 17.9.0-2ubuntu0.3 | 
    
        | Release: | bionic (18.04) | 
    
        | Level: | updates | 
    
        | Repository: | universe | 
         
            | Head package: | twisted | 
        
            | Homepage: | https://twistedmatrix.com/ | 
    
   
  
  
 
Links
    Download "python-twisted-news"
    
Other versions of "python-twisted-news" in Bionic
    
Changelog
    
    
    
        
        
    
    
        |   twisted (17.9.0-2ubuntu0.3) bionic-security; urgency=medium   * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie
and authorization headers when following cross origin redirects
 - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are
 removed when forming requests, in src/twisted/web/client.py,
 src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py.
 - CVE-2022-21712
   * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH
handshake can result in a denial of service when excessively large packets
 are received
 - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received
 handshake buffer is checked, prior to processing version string in
 src/twisted/conch/ssh/transport.py and
 src/twisted/conch/test/test_transport.py
 - CVE-2022-21716
  -- Ray Veldkamp <email address hidden>  Tue, 22 Mar 2022 22:03:56 +1100 | 
    | Source diff to previous version | 
        
        | 
                
                | CVE-2022-21712 | twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following |  
                | CVE-2022-21716 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is ab |  | 
    
    
    
    
    
        
        
    
    
        |   twisted (17.9.0-2ubuntu0.1) bionic-security; urgency=medium   * SECURITY UPDATE: incorrect URI and HTTP method validation
- debian/patches/CVE-2019-12387.patch: prevent CRLF injections in
 src/twisted/web/_newclient.py, src/twisted/web/client.py,
 src/twisted/web/test/injectionhelpers.py,
 src/twisted/web/test/test_agent.py,
 src/twisted/web/test/test_webclient.py.
 - CVE-2019-12387
 * SECURITY UPDATE: incorrect cert validation in XMPP support
 - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement
 certificate checking.
 - CVE-2019-12855
 * SECURITY UPDATE: HTTP/2 denial of service issues
 - debian/patches/CVE-2019-951x.patch: buffer outbound control frames
 and timeout invalid clients in src/twisted/web/_http2.py,
 src/twisted/web/error.py, src/twisted/web/http.py,
 src/twisted/web/test/test_http.py,
 src/twisted/web/test/test_http2.py.
 - CVE-2019-9512
 - CVE-2019-9514
 - CVE-2019-9515
 * SECURITY UPDATE: request smuggling attacks
 - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce
 duplication in src/twisted/web/test/test_http.py.
 - debian/patches/CVE-2020-1010x.patch: fix several request smuggling
 attacks in src/twisted/web/http.py,
 src/twisted/web/test/test_http.py.
 - CVE-2020-10108
 - CVE-2020-10109
  -- Marc Deslauriers <email address hidden>  Mon, 16 Mar 2020 13:24:46 -0400 | 
    
        
        | 
                
                | CVE-2019-12387 | In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CR |  
                | CVE-2019-12855 | In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to M |  
                | CVE-2019-9512 | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/ |  
                | CVE-2019-9514 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and s |  
                | CVE-2019-9515 | Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS f |  
                | CVE-2020-1010 | RESERVED |  
                | CVE-2020-10108 | In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the fir |  
                | CVE-2020-10109 | In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header |  | 
    
    
        
        
        
            About
              -  
            Send Feedback to @ubuntu_updates