Bug 19496

Summary: python-twisted-web new security issue CVE-2016-1000111
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: jim, mageia, makowski.mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/702312/
Whiteboard: has_procedure mga5-64-ok MGA5-32-OK advisory
Source RPM: python-twisted-web-14.0.1-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-30 21:49:25 CEST 
RedHat has issued an advisory on September 29:
https://rhn.redhat.com/errata/RHSA-2016-1978.html

This is another "httpoxy" issue.

Mageia 5 is also affected.
David Walser 2016-09-30 21:49:53 CEST

Whiteboard: (none) => MGA5TOO
Severity: normal => critical

Comment 1 Philippe Makowski 2016-10-01 14:01:46 CEST 
For what I know Cauldron have a fix for that
see : https://github.com/twisted/twisted/blob/twisted-16.3.2/NEWS
Twisted Web 16.3.1 (2016-08-15)
===============================

Bugfixes
--------
 - A bug in twisted.web.server.Site.makeSession which may lead to
   predictable session IDs was fixed.  Session IDs are now generated
   securely using `os.urandom`. (#3460)
 - twisted.web.server.Request.getSession will now, for a request sent
   over HTTPS, set a "Secure" cookie, preventing the secure session
   from being sent over plain-text HTTP. (#3461)
 - Twisted's HTTP/2 support no longer throws priority exceptions when
   WINDOW_UDPATE frames are received after a response has been
   completed. (#8558)
 - twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to
   CGI scripts, as a mitigation to CVE-2016-1000111. (#8623)
David Walser 2016-10-01 14:12:37 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 Philippe Makowski 2016-10-01 15:09:16 CEST 
update packages in 5/core/updates_testing

python-twisted-web-14.0.1-3.1.mga5.x86_64
python-twisted-web-14.0.1-3.1.mga5.i586

from
python-twisted-web-14.0.1-3.1.mga5.src

Suggested advisory :

Security Fix(es):

* It was discovered that python-twisted-web used the value of the Proxy header
from HTTP requests to initialize the HTTP_PROXY environment variable for CGI
scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A remote
attacker could possibly use this flaw to redirect HTTP requests performed by a
CGI script to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-1000111)

ref :
https://rhn.redhat.com/errata/RHSA-2016-1978.html
https://github.com/twisted/twisted/blob/twisted-16.3.2/NEWS

Assignee: makowski.mageia => qa-bugs

Comment 3 Nicolas Lécureuil 2016-10-09 11:12:44 CEST 
how to test this ?

CC: (none) => mageia

Comment 4 Philippe Makowski 2016-10-10 12:31:01 CEST 
you can use this simple example :

http://twistedmatrix.com/documents/current/_downloads/reverse-proxy.py

it doesn't test the cve, but as the patch is really simple, and used included in upstream test suite, I don't think you need more test than simply install, update and see that the simple example is working

CC: (none) => makowski.mageia

Comment 5 Nicolas Lécureuil 2016-10-10 14:22:49 CEST 
test ok for me on x86_64

Whiteboard: (none) => has_procedure MGA5-64-OK

Nicolas Lécureuil 2016-10-12 11:14:55 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 6 James Kerr 2016-10-12 11:37:46 CEST 
On mga5-32

# urpmi --searchmedia "Core Updates Testing" python-twisted-web
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (LAN1)")
  python-twisted-core            14.0.0       4.mga5        i586    
  python-zope-interface          4.1.1        4.mga5        i586    
(medium "Core Updates Testing (LAN5)")
  python-twisted-web             14.0.1       3.1.mga5      i586   

Packages installed cleanly.

Created the file reverse-proxy.py containing the text:

from twisted.internet import reactor
from twisted.web import proxy, server

site = server.Site(proxy.ReverseProxyResource('www.yahoo.com', 80, ''))
reactor.listenTCP(8080, site)
reactor.run()

Executed:

$ python reverse-proxy.py

Then opened http://localhost:8080/ in a browser
The Yahoo home page was displayed

OK on mga5-32

CC: (none) => jim
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure mga5-64-ok MGA5-32-OK

Nicolas Lécureuil 2016-10-12 11:55:14 CEST

Whiteboard: has_procedure mga5-64-ok MGA5-32-OK => has_procedure mga5-64-ok MGA5-32-OK advisory

Comment 7 James Kerr 2016-10-12 12:00:55 CEST 
This update is now validated. The packages can be pushed to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2016-10-12 15:46:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0340.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED