Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-2927-1 twisted

Debian Security Advisory

DLA-2927-1 twisted -- LTS security update

Date Reported:

19 Feb 2022

Affected Packages:

twisted

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 953950.
In Mitre's CVE dictionary: CVE-2020-10108, CVE-2020-10109, CVE-2022-21712.

More information:

It was discovered that Twisted, a Python event-based framework for internet applications, is affected by HTTP request splitting vulnerabilities, and may expose sensitive data when following redirects. An attacker may bypass validation checks and retrieve credentials.

• CVE-2020-10108

  HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

• CVE-2020-10109

  HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

• CVE-2022-21712

  Twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions.

For Debian 9 stretch, these problems have been fixed in version 16.6.0-2+deb9u1.

We recommend that you upgrade your twisted packages.

For the detailed security status of twisted please refer to its security tracker page at: https://security-tracker.debian.org/tracker/twisted

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS