OESA-2023-1908

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1908
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1908.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1908
Upstream
Published
2023-12-15T11:06:27Z
Modified
2025-08-12T05:12:23.071852Z
Summary
python-twisted security update
Details

Twisted is an event-based framework for internet applications, supporting Python 2.7 and Python 3.5+. It includes modules for many different purposes, including the following:

Security Fix(es):

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.(CVE-2022-21712)

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as nc -rv localhost 22 < /dev/zero. A patch is available in version 22.2.0. There are currently no known workarounds.(CVE-2022-21716)

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.(CVE-2022-24801)

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.(CVE-2022-39348)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP3 / python-twisted

Package

Name
python-twisted
Purl
pkg:rpm/openEuler/python-twisted&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.4.0-1.oe1

Ecosystem specific 

{
    "x86_64": [
        "python3-twisted-22.4.0-1.oe1.x86_64.rpm"
    ],
    "noarch": [
        "python-twisted-help-22.4.0-1.oe1.noarch.rpm"
    ],
    "aarch64": [
        "python3-twisted-22.4.0-1.oe1.aarch64.rpm"
    ],
    "src": [
        "python-twisted-22.4.0-1.oe1.src.rpm"
    ]
}