Bug 30067

Summary: python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tarazed25, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-twisted-21.7.0-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-02-18 19:01:53 CET 
SUSE has issued an advisory today (February 18):
https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html

The issue is fixed upstream in 22.1.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx

Mageia 8 is also affected.
David Walser 2022-02-18 19:02:08 CET

Status comment: (none) => Fixed upstream in 22.1.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-02-21 23:32:27 CET 
Debian-LTS has issued an advisory for this on February 19:
https://www.debian.org/lts/security/2022/dla-2927
Comment 2 David Walser 2022-02-21 23:43:33 CET 
openSUSE has issued an advisory for this on February 18:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/
Comment 3 David Walser 2022-03-09 17:40:10 CET 
Debian-LTS has issued an advisory on March 8:
https://www.debian.org/lts/security/2022/dla-2938

The issue is fixed upstream in 22.2.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

Mageia 8 is not affected.

Status comment: Fixed upstream in 22.1.0 => Fixed upstream in 22.2.0
Summary: python-twisted new security issue CVE-2022-21712 => python-twisted new security issues CVE-2022-2171[26]

Comment 4 David Walser 2022-03-30 17:15:15 CEST 
Ubuntu has issued an advisory for this today (March 30):
https://ubuntu.com/security/notices/USN-5354-1
Comment 5 David Walser 2022-05-02 20:27:20 CEST 
openSUSE has issued an advisory on April 29:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/

The issue is fixed upstream in 22.4.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Mageia 8 is also affected.

Summary: python-twisted new security issues CVE-2022-2171[26] => python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801
Status comment: Fixed upstream in 22.2.0 => Fixed upstream in 22.4.0

Comment 6 papoteur 2022-05-06 15:19:59 CEST 
Python-twisted is now packaged in 22.4.0

python3-twisted+tls-22.4.0-1.1.mga8
python3-twisted-22.4.0-1.1.mga8

This module is used in:
buildbot-master
buildbot-worker
deluge
kajongg
noethys
syncevolution

CC: (none) => yves.brungard_mageia
Assignee: python => qa-bugs

Thomas Backlund 2022-05-06 15:43:46 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2022-05-06 17:07:15 CEST 
Reminder again to remove subrel when upgrading and to clear the status comment when assigning to QA.

Status comment: Fixed upstream in 22.4.0 => (none)

Comment 8 David Walser 2022-05-06 17:34:25 CEST 
In fact, the subrel makes the release tag higher than Cauldron.  We could rebuild Cauldron, but it's better to remove this, remove the subrel, and do it right.  I've asked a sysadmin to remove it.

Keywords: (none) => feedback

Comment 9 papoteur 2022-05-07 08:03:33 CEST 
(In reply to David Walser from comment #8)
> In fact, the subrel makes the release tag higher than Cauldron.  We could
> rebuild Cauldron, but it's better to remove this, remove the subrel, and do
> it right.  I've asked a sysadmin to remove it.

Sorry for that. I misinterpreted what my mentor said.
Comment 10 David Walser 2022-05-07 23:45:05 CEST 
Repushed without subrel.

python-twisted-22.4.0-1.mga8.src.rpm

Keywords: feedback => (none)

Comment 11 Len Lawrence 2022-05-09 11:18:10 CEST 
mga8, x64

A difficult one to test.  No familiarity with any of the used-by packages listed but they launched OK, before updates.

Obtained RPMs via qarepo.
Tried to install them:
Sorry, the following packages cannot be selected:

- python3-twisted+tls-22.4.0-1.mga8.x86_64
- python3-twisted-22.4.0-1.mga8.x86_64 (due to unsatisfied python3.8dist(automat)[>= 0.8])

CC: (none) => tarazed25

David Walser 2022-05-09 12:11:31 CEST

Keywords: (none) => feedback

Comment 12 papoteur 2022-05-09 20:58:20 CEST 
There is a new release for python3-automat in 21.2.0.
However, there is still a problem with python3-incremental version.
I will come back later.

Assignee: qa-bugs => yves.brungard_mageia

Comment 13 papoteur 2022-05-10 17:52:54 CEST 
The installation is now possible with
python3-incremental-21.3.0-1.mga8.noarch
python3-automat-0.8.0-1.mga8.noarch
python3-twisted-22.4.0-1.mga8
python3-twisted+tls-22.4.0-1.mga8

Assignee: yves.brungard_mageia => qa-bugs

Comment 14 Len Lawrence 2022-05-10 21:24:46 CEST 
Installation and updates went well.
deluge and noethys launch their guis but there is nothing that can be done with them here.
Played kajongg for a while without much understanding of the rules.  It cycled round the players smoothly enough.
This looks good to go.

Keywords: feedback => (none)
Whiteboard: (none) => MGA8-64-OK

Comment 15 Len Lawrence 2022-05-10 21:26:39 CEST 
Thanks papoteur for the quick response.
Comment 16 papoteur 2022-05-11 07:33:16 CEST 
Advisory
===================
This update is for fixing:
CVE-2022-2171[26]
CVE-2022-24801
GHSA-rv6r-3f5q-9rgx
The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.
GHSA-c2jg-hw38-jrqq 
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230
Comment 17 papoteur 2022-05-11 07:49:45 CEST 
Advisory
===================
This update is for fixing:
CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information.
CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on connection establishments. A remote attacker could use this issue to cause Twisted to crash, resulting in a denial of service.

GHSA-rv6r-3f5q-9rgx
The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.

GHSA-c2jg-hw38-jrqq and CVE-2022-24801
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230

GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage, twisted.web.client.downladPage, and the associated implementation classes (HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader) have been removed because they do not segregate cookies by domain. They were deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent.
=====================
Comment 18 Thomas Andrews 2022-05-11 13:59:13 CEST 
Validating. Advisory in Comment 17.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-11 23:17:01 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 19 Mageia Robot 2022-05-12 12:25:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0168.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED