RedHat has issued an advisory on September 29: https://rhn.redhat.com/errata/RHSA-2016-1978.html This is another "httpoxy" issue. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOOSeverity: normal => critical
For what I know Cauldron have a fix for that see : https://github.com/twisted/twisted/blob/twisted-16.3.2/NEWS Twisted Web 16.3.1 (2016-08-15) =============================== Bugfixes -------- - A bug in twisted.web.server.Site.makeSession which may lead to predictable session IDs was fixed. Session IDs are now generated securely using `os.urandom`. (#3460) - twisted.web.server.Request.getSession will now, for a request sent over HTTPS, set a "Secure" cookie, preventing the secure session from being sent over plain-text HTTP. (#3461) - Twisted's HTTP/2 support no longer throws priority exceptions when WINDOW_UDPATE frames are received after a response has been completed. (#8558) - twisted.web.twcgi.CGIScript will now not pass the "Proxy" header to CGI scripts, as a mitigation to CVE-2016-1000111. (#8623)
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
update packages in 5/core/updates_testing python-twisted-web-14.0.1-3.1.mga5.x86_64 python-twisted-web-14.0.1-3.1.mga5.i586 from python-twisted-web-14.0.1-3.1.mga5.src Suggested advisory : Security Fix(es): * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) ref : https://rhn.redhat.com/errata/RHSA-2016-1978.html https://github.com/twisted/twisted/blob/twisted-16.3.2/NEWS
Assignee: makowski.mageia => qa-bugs
how to test this ?
CC: (none) => mageia
you can use this simple example : http://twistedmatrix.com/documents/current/_downloads/reverse-proxy.py it doesn't test the cve, but as the patch is really simple, and used included in upstream test suite, I don't think you need more test than simply install, update and see that the simple example is working
CC: (none) => makowski.mageia
test ok for me on x86_64
Whiteboard: (none) => has_procedure MGA5-64-OK
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
On mga5-32 # urpmi --searchmedia "Core Updates Testing" python-twisted-web To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (LAN1)") python-twisted-core 14.0.0 4.mga5 i586 python-zope-interface 4.1.1 4.mga5 i586 (medium "Core Updates Testing (LAN5)") python-twisted-web 14.0.1 3.1.mga5 i586 Packages installed cleanly. Created the file reverse-proxy.py containing the text: from twisted.internet import reactor from twisted.web import proxy, server site = server.Site(proxy.ReverseProxyResource('www.yahoo.com', 80, '')) reactor.listenTCP(8080, site) reactor.run() Executed: $ python reverse-proxy.py Then opened http://localhost:8080/ in a browser The Yahoo home page was displayed OK on mga5-32
CC: (none) => jimWhiteboard: has_procedure MGA5-64-OK advisory => has_procedure mga5-64-ok MGA5-32-OK
Whiteboard: has_procedure mga5-64-ok MGA5-32-OK => has_procedure mga5-64-ok MGA5-32-OK advisory
This update is now validated. The packages can be pushed to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0340.html
Status: NEW => RESOLVEDResolution: (none) => FIXED