Bug 25752

Updated package uploaded by Jani.

Advisory:
========================

Updated python-twisted packages fix security vulnerability:

Improper sanitization of URIs or HTTP which could allow attackers to perfrom
CRLF attacks (CVE-2019-12387).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387
https://lists.opensuse.org/opensuse-updates/2019-07/msg00089.html
========================

Updated packages in core/updates_testing:
========================
python2-twisted-19.2.1-1.mga7
python3-twisted-19.2.1-1.mga7

from python-twisted-19.2.1-1.mga7.src.rpm

Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

openSUSE has issued an advisory on September 5:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00028.html

It looks like this new issue will need an additional patch.

Keywords: (none) => feedback
Summary: python-twisted new security issue CVE-2019-12387 => python-twisted new security issues CVE-2019-12387 and CVE-2019-12855

Advisory:
========================

Updated python-twisted packages fix security vulnerability:

Improper sanitization of URIs or HTTP which could allow attackers to perform
CRLF attacks (CVE-2019-12387).

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did
not verify certificates when used with TLS, allowing an attacker to MITM
connections (CVE-2019-12855).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12855
https://lists.opensuse.org/opensuse-updates/2019-07/msg00089.html
https://lists.opensuse.org/opensuse-updates/2019-09/msg00028.html
========================

Updated packages in core/updates_testing:
========================
python2-twisted-19.2.1-1.1.mga7
python3-twisted-19.2.1-1.1.mga7

from python-twisted-19.2.1-1.1.mga7.src.rpm

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

MGA7-64 Plasma on Lenovo B50
No installation issues.
At CLI:
# urpmq --whatrequires python3-twisted
kajongg
python3-prometheus-client
python3-twisted
took the easy one, installed kajongg and
$ strace -o pthtwusted.txt kajongg
shows a lot of references like

openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/twisted/__pycache__/__init__.cpython-37.pyc", O_RDONLY|O_CLOEXEC) = 10
and
stat("/usr/lib64/python3.7/site-packages/twisted", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
Looking further for a python2-twisted testcase.

CC: (none) => herman.viaene

# urpmq --whatrequires python2-twisted
avahi-python
balazarbrothers
buildbot-master
buildbot-slave
deluge
noethys
python-axiom
python-epsilon
python-foolscap
python-moksha-hub
python-storm-twisted
python-txws
python-txzmq
python2-twisted
sslstrip
supybot-Dcc
supybot-ExternalNotice
supybot-Gateway
supybot-Sshd
supybot-Webserver
syncevolution
taskcoach
tofu
Picked first tofu, had to install python2-cerealizer and could then run
$ strace -o pthtwusted2.txt python2 /usr/share/doc/tofu/run_demo.py --client localhost
* Tofu * IDLER created !
that opened a otherwise empty tofu window, but the trace shows calls to python2-twisted
Tried taskcoach
$ strace -o pthtwustedtaskcoach.txt taskcoach
I could create a new task,and play around in the gui-interface, trace shows again shows calls to python2-twisted
OK for me unless someone needs more tests.

Whiteboard: (none) => MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0360.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED