SUSE has issued an advisory today (February 18): https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html The issue is fixed upstream in 22.1.0: https://github.com/twisted/twisted/releases/tag/twisted-22.1.0 https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 22.1.0Whiteboard: (none) => MGA8TOO
Debian-LTS has issued an advisory for this on February 19: https://www.debian.org/lts/security/2022/dla-2927
openSUSE has issued an advisory for this on February 18: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/
Debian-LTS has issued an advisory on March 8: https://www.debian.org/lts/security/2022/dla-2938 The issue is fixed upstream in 22.2.0: https://github.com/twisted/twisted/releases/tag/twisted-22.2.0 https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx Mageia 8 is not affected.
Status comment: Fixed upstream in 22.1.0 => Fixed upstream in 22.2.0Summary: python-twisted new security issue CVE-2022-21712 => python-twisted new security issues CVE-2022-2171[26]
Ubuntu has issued an advisory for this today (March 30): https://ubuntu.com/security/notices/USN-5354-1
openSUSE has issued an advisory on April 29: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/ The issue is fixed upstream in 22.4.0: https://github.com/twisted/twisted/releases/tag/twisted-22.4.0 https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq Mageia 8 is also affected.
Summary: python-twisted new security issues CVE-2022-2171[26] => python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801Status comment: Fixed upstream in 22.2.0 => Fixed upstream in 22.4.0
Python-twisted is now packaged in 22.4.0 python3-twisted+tls-22.4.0-1.1.mga8 python3-twisted-22.4.0-1.1.mga8 This module is used in: buildbot-master buildbot-worker deluge kajongg noethys syncevolution
CC: (none) => yves.brungard_mageiaAssignee: python => qa-bugs
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Reminder again to remove subrel when upgrading and to clear the status comment when assigning to QA.
Status comment: Fixed upstream in 22.4.0 => (none)
In fact, the subrel makes the release tag higher than Cauldron. We could rebuild Cauldron, but it's better to remove this, remove the subrel, and do it right. I've asked a sysadmin to remove it.
Keywords: (none) => feedback
(In reply to David Walser from comment #8) > In fact, the subrel makes the release tag higher than Cauldron. We could > rebuild Cauldron, but it's better to remove this, remove the subrel, and do > it right. I've asked a sysadmin to remove it. Sorry for that. I misinterpreted what my mentor said.
Repushed without subrel. python-twisted-22.4.0-1.mga8.src.rpm
Keywords: feedback => (none)
mga8, x64 A difficult one to test. No familiarity with any of the used-by packages listed but they launched OK, before updates. Obtained RPMs via qarepo. Tried to install them: Sorry, the following packages cannot be selected: - python3-twisted+tls-22.4.0-1.mga8.x86_64 - python3-twisted-22.4.0-1.mga8.x86_64 (due to unsatisfied python3.8dist(automat)[>= 0.8])
CC: (none) => tarazed25
There is a new release for python3-automat in 21.2.0. However, there is still a problem with python3-incremental version. I will come back later.
Assignee: qa-bugs => yves.brungard_mageia
The installation is now possible with python3-incremental-21.3.0-1.mga8.noarch python3-automat-0.8.0-1.mga8.noarch python3-twisted-22.4.0-1.mga8 python3-twisted+tls-22.4.0-1.mga8
Assignee: yves.brungard_mageia => qa-bugs
Installation and updates went well. deluge and noethys launch their guis but there is nothing that can be done with them here. Played kajongg for a while without much understanding of the rules. It cycled round the players smoothly enough. This looks good to go.
Keywords: feedback => (none)Whiteboard: (none) => MGA8-64-OK
Thanks papoteur for the quick response.
Advisory =================== This update is for fixing: CVE-2022-2171[26] CVE-2022-24801 GHSA-rv6r-3f5q-9rgx The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier. GHSA-c2jg-hw38-jrqq The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230
Advisory =================== This update is for fixing: CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information. CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on connection establishments. A remote attacker could use this issue to cause Twisted to crash, resulting in a denial of service. GHSA-rv6r-3f5q-9rgx The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier. GHSA-c2jg-hw38-jrqq and CVE-2022-24801 The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230 GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage, twisted.web.client.downladPage, and the associated implementation classes (HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader) have been removed because they do not segregate cookies by domain. They were deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent. =====================
Validating. Advisory in Comment 17.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0168.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED