Debian Security Advisory
DLA-2145-1 twisted -- LTS security update
- Date Reported:
- 17 Mar 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2020-10108, CVE-2020-10109.
- More information:
It was discovered that there were a number of HTTP request splitting vulnerabilities in Twisted, an Python event-based framework for building various types of internet applications.
For more information, please see the upstream advisory.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
For Debian 8
Jessie, these problems have been fixed in version 14.0.2-3+deb8u1.
We recommend that you upgrade your twisted packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS