Debian Security Advisory
DLA-2927-1 twisted -- LTS security update
- Date Reported:
- 19 Feb 2022
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 953950.
In Mitre's CVE dictionary: CVE-2020-10108, CVE-2020-10109, CVE-2022-21712.
- More information:
It was discovered that Twisted, a Python event-based framework for internet applications, is affected by HTTP request splitting vulnerabilities, and may expose sensitive data when following redirects. An attacker may bypass validation checks and retrieve credentials.
HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions.
For Debian 9 stretch, these problems have been fixed in version 16.6.0-2+deb9u1.
We recommend that you upgrade your twisted packages.
For the detailed security status of twisted please refer to its security tracker page at: https://security-tracker.debian.org/tracker/twisted
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS