openSUSE has issued an advisory on July 21: https://lists.opensuse.org/opensuse-updates/2019-07/msg00089.html The issue is fixed upstream in 19.2.1.
Updated package uploaded by Jani. Advisory: ======================== Updated python-twisted packages fix security vulnerability: Improper sanitization of URIs or HTTP which could allow attackers to perfrom CRLF attacks (CVE-2019-12387). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387 https://lists.opensuse.org/opensuse-updates/2019-07/msg00089.html ======================== Updated packages in core/updates_testing: ======================== python2-twisted-19.2.1-1.mga7 python3-twisted-19.2.1-1.mga7 from python-twisted-19.2.1-1.mga7.src.rpm
Assignee: jani.valimaa => qa-bugsCC: (none) => jani.valimaa
openSUSE has issued an advisory on September 5: https://lists.opensuse.org/opensuse-updates/2019-09/msg00028.html It looks like this new issue will need an additional patch.
Keywords: (none) => feedbackSummary: python-twisted new security issue CVE-2019-12387 => python-twisted new security issues CVE-2019-12387 and CVE-2019-12855
Keywords: feedback => (none)CC: jani.valimaa => qa-bugsAssignee: qa-bugs => jani.valimaa
Advisory: ======================== Updated python-twisted packages fix security vulnerability: Improper sanitization of URIs or HTTP which could allow attackers to perform CRLF attacks (CVE-2019-12387). In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections (CVE-2019-12855). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12855 https://lists.opensuse.org/opensuse-updates/2019-07/msg00089.html https://lists.opensuse.org/opensuse-updates/2019-09/msg00028.html ======================== Updated packages in core/updates_testing: ======================== python2-twisted-19.2.1-1.1.mga7 python3-twisted-19.2.1-1.1.mga7 from python-twisted-19.2.1-1.1.mga7.src.rpm
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. At CLI: # urpmq --whatrequires python3-twisted kajongg python3-prometheus-client python3-twisted took the easy one, installed kajongg and $ strace -o pthtwusted.txt kajongg shows a lot of references like openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/twisted/__pycache__/__init__.cpython-37.pyc", O_RDONLY|O_CLOEXEC) = 10 and stat("/usr/lib64/python3.7/site-packages/twisted", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 Looking further for a python2-twisted testcase.
CC: (none) => herman.viaene
# urpmq --whatrequires python2-twisted avahi-python balazarbrothers buildbot-master buildbot-slave deluge noethys python-axiom python-epsilon python-foolscap python-moksha-hub python-storm-twisted python-txws python-txzmq python2-twisted sslstrip supybot-Dcc supybot-ExternalNotice supybot-Gateway supybot-Sshd supybot-Webserver syncevolution taskcoach tofu Picked first tofu, had to install python2-cerealizer and could then run $ strace -o pthtwusted2.txt python2 /usr/share/doc/tofu/run_demo.py --client localhost * Tofu * IDLER created ! that opened a otherwise empty tofu window, but the trace shows calls to python2-twisted Tried taskcoach $ strace -o pthtwustedtaskcoach.txt taskcoach I could create a new task,and play around in the gui-interface, trace shows again shows calls to python2-twisted OK for me unless someone needs more tests.
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0360.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED