MGASA-2022-0168
- Source
- https://advisories.mageia.org/MGASA-2022-0168.html
- Import Source
- https://advisories.mageia.org/MGASA-2022-0168.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MGASA-2022-0168
- Related
- Published
- 2022-05-12T10:24:45Z
- Modified
- 2022-05-12T14:02:24Z
- Summary
- Updated python-twisted packages fix security vulnerability
- Details
-
CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information. CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on connection establishments. A remote attacker could use this issue to cause Twisted to crash, resulting in a denial of service.
GHSA-rv6r-3f5q-9rgx The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.
GHSA-c2jg-hw38-jrqq and CVE-2022-24801 The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230
GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage, twisted.web.client.downladPage, and the associated implementation classes (HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader) have been removed because they do not segregate cookies by domain. They were deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent.
- References
-
- https://advisories.mageia.org/MGASA-2022-0168.html
- https://bugs.mageia.org/show_bug.cgi?id=30067
- https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html
- https://www.debian.org/lts/security/2022/dla-2927
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/
- https://www.debian.org/lts/security/2022/dla-2938
- https://ubuntu.com/security/notices/USN-5354-1
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/
- Credits
-
-
- Mageia - COORDINATOR
-
Affected packages
Mageia:8 / python-automat
Package
- Name
- python-automat
- Purl
- pkg:rpm/mageia/python-automat?distro=mageia-8
Mageia:8 / python-incremental
Package
- Name
- python-incremental
- Purl
- pkg:rpm/mageia/python-incremental?distro=mageia-8
Mageia:8 / python-twisted
Package
- Name
- python-twisted
- Purl
- pkg:rpm/mageia/python-twisted?distro=mageia-8