Bug 26355

Summary: python-twisted new security issues CVE-2020-10108 and CVE-2020-10109
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, makowski.mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-twisted-19.2.1-1.1.mga7.src.rpm CVE:
Status comment: Patches available from Fedora

Description David Walser 2020-03-18 13:41:35 CET 
Debian-LTS has issued an advisory on March 17:
https://www.debian.org/lts/security/2020/dla-2145

The issues are fixed upstream in 20.3.0rc1:
https://know.bishopfox.com/advisories/twisted-version-19.10.0

Mageia 7 is also affected.
David Walser 2020-03-18 13:41:59 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 20.3.0rc1

Comment 1 David Walser 2020-03-20 19:44:36 CET 
Ubuntu has issued an advisory for this on March 19:
https://usn.ubuntu.com/4308-1/
Comment 2 David Walser 2020-04-01 00:03:47 CEST 
Fedora has issued an advisory for this on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/

Status comment: Fixed upstream in 20.3.0rc1 => Patches available from Fedora

Comment 3 David Walser 2020-04-23 20:25:18 CEST 
RedHat has issued an advisory for this today (April 23):
https://access.redhat.com/errata/RHSA-2020:1561
Comment 4 Philippe Makowski 2020-11-14 13:46:22 CET 
Cauldron have 20.3.0 :  not affected

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => makowski.mageia

Comment 5 Philippe Makowski 2020-11-14 14:17:36 CET 
security fix for CVE-2020-10108 and CVE-2020-10109


in 7/core/updates_testing
python2-twisted-19.2.1-1.2.mga7.x86_64.rpm
python3-twisted-19.2.1-1.2.mga7.x86_64.rpm
python-twisted-debugsource-19.2.1-1.2.mga7.x86_64.rpm
python-twisted-debuginfo-19.2.1-1.2.mga7.x86_64.rpm
python2-twisted-debuginfo-19.2.1-1.2.mga7.x86_64.rpm
python3-twisted-debuginfo-19.2.1-1.2.mga7.x86_64.rpm

python2-twisted-19.2.1-1.2.mga7.i586.rpm
python3-twisted-19.2.1-1.2.mga7.i586.rpm
python-twisted-debugsource-19.2.1-1.2.mga7.i586.rpm
python-twisted-debuginfo-19.2.1-1.2.mga7.i586.rpm
python2-twisted-debuginfo-19.2.1-1.2.mga7.i586.rpm
python3-twisted-debuginfo-19.2.1-1.2.mga7.i586.rpm

From python-twisted-19.2.1-1.2.mga7.src.rpm

Assignee: jani.valimaa => qa-bugs

Comment 6 David Walser 2020-11-14 16:40:06 CET 
Advisory:
========================

Updated python-twisted packages fix security vulnerabilities:

Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled certain
content-length headers. A remote attacker could possibly use this issue to
perform HTTP request splitting attacks (CVE-2020-10108, CVE-2020-10109).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109
https://ubuntu.com/security/notices/USN-4308-1

Source RPM: python-twisted-19.10.0-2.mga8.src.rpm => python-twisted-19.2.1-1.1.mga7.src.rpm

Comment 7 Herman Viaene 2020-11-19 14:47:58 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Repeated tests and traces from previous bug 25752: kajong, tofu and taskcoach, with same results.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 8 Aurelien Oudelet 2020-11-19 22:45:41 CET 
Validating.
Advisory pushed to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-11-19 22:45:57 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2020-11-21 13:22:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0428.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED