Bug 30067 - python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801
Summary: python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-18 19:01 CET by David Walser
Modified: 2022-05-12 12:25 CEST (History)
5 users (show)

See Also:
Source RPM: python-twisted-21.7.0-3.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-02-18 19:01:53 CET
SUSE has issued an advisory today (February 18):
https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html

The issue is fixed upstream in 22.1.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx

Mageia 8 is also affected.
David Walser 2022-02-18 19:02:08 CET

Status comment: (none) => Fixed upstream in 22.1.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-02-21 23:32:27 CET
Debian-LTS has issued an advisory for this on February 19:
https://www.debian.org/lts/security/2022/dla-2927
Comment 2 David Walser 2022-02-21 23:43:33 CET
openSUSE has issued an advisory for this on February 18:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/
Comment 3 David Walser 2022-03-09 17:40:10 CET
Debian-LTS has issued an advisory on March 8:
https://www.debian.org/lts/security/2022/dla-2938

The issue is fixed upstream in 22.2.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx

Mageia 8 is not affected.

Status comment: Fixed upstream in 22.1.0 => Fixed upstream in 22.2.0
Summary: python-twisted new security issue CVE-2022-21712 => python-twisted new security issues CVE-2022-2171[26]

Comment 4 David Walser 2022-03-30 17:15:15 CEST
Ubuntu has issued an advisory for this today (March 30):
https://ubuntu.com/security/notices/USN-5354-1
Comment 5 David Walser 2022-05-02 20:27:20 CEST
openSUSE has issued an advisory on April 29:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/

The issue is fixed upstream in 22.4.0:
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq

Mageia 8 is also affected.

Summary: python-twisted new security issues CVE-2022-2171[26] => python-twisted new security issues CVE-2022-2171[26] and CVE-2022-24801
Status comment: Fixed upstream in 22.2.0 => Fixed upstream in 22.4.0

Comment 6 papoteur 2022-05-06 15:19:59 CEST
Python-twisted is now packaged in 22.4.0

python3-twisted+tls-22.4.0-1.1.mga8
python3-twisted-22.4.0-1.1.mga8

This module is used in:
buildbot-master
buildbot-worker
deluge
kajongg
noethys
syncevolution

CC: (none) => yves.brungard_mageia
Assignee: python => qa-bugs

Thomas Backlund 2022-05-06 15:43:46 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 7 David Walser 2022-05-06 17:07:15 CEST
Reminder again to remove subrel when upgrading and to clear the status comment when assigning to QA.

Status comment: Fixed upstream in 22.4.0 => (none)

Comment 8 David Walser 2022-05-06 17:34:25 CEST
In fact, the subrel makes the release tag higher than Cauldron.  We could rebuild Cauldron, but it's better to remove this, remove the subrel, and do it right.  I've asked a sysadmin to remove it.

Keywords: (none) => feedback

Comment 9 papoteur 2022-05-07 08:03:33 CEST
(In reply to David Walser from comment #8)
> In fact, the subrel makes the release tag higher than Cauldron.  We could
> rebuild Cauldron, but it's better to remove this, remove the subrel, and do
> it right.  I've asked a sysadmin to remove it.

Sorry for that. I misinterpreted what my mentor said.
Comment 10 David Walser 2022-05-07 23:45:05 CEST
Repushed without subrel.

python-twisted-22.4.0-1.mga8.src.rpm

Keywords: feedback => (none)

Comment 11 Len Lawrence 2022-05-09 11:18:10 CEST
mga8, x64

A difficult one to test.  No familiarity with any of the used-by packages listed but they launched OK, before updates.

Obtained RPMs via qarepo.
Tried to install them:
Sorry, the following packages cannot be selected:

- python3-twisted+tls-22.4.0-1.mga8.x86_64
- python3-twisted-22.4.0-1.mga8.x86_64 (due to unsatisfied python3.8dist(automat)[>= 0.8])

CC: (none) => tarazed25

David Walser 2022-05-09 12:11:31 CEST

Keywords: (none) => feedback

Comment 12 papoteur 2022-05-09 20:58:20 CEST
There is a new release for python3-automat in 21.2.0.
However, there is still a problem with python3-incremental version.
I will come back later.

Assignee: qa-bugs => yves.brungard_mageia

Comment 13 papoteur 2022-05-10 17:52:54 CEST
The installation is now possible with
python3-incremental-21.3.0-1.mga8.noarch
python3-automat-0.8.0-1.mga8.noarch
python3-twisted-22.4.0-1.mga8
python3-twisted+tls-22.4.0-1.mga8

Assignee: yves.brungard_mageia => qa-bugs

Comment 14 Len Lawrence 2022-05-10 21:24:46 CEST
Installation and updates went well.
deluge and noethys launch their guis but there is nothing that can be done with them here.
Played kajongg for a while without much understanding of the rules.  It cycled round the players smoothly enough.
This looks good to go.

Keywords: feedback => (none)
Whiteboard: (none) => MGA8-64-OK

Comment 15 Len Lawrence 2022-05-10 21:26:39 CEST
Thanks papoteur for the quick response.
Comment 16 papoteur 2022-05-11 07:33:16 CEST
Advisory
===================
This update is for fixing:
CVE-2022-2171[26]
CVE-2022-24801
GHSA-rv6r-3f5q-9rgx
The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.
GHSA-c2jg-hw38-jrqq 
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230
Comment 17 papoteur 2022-05-11 07:49:45 CEST
Advisory
===================
This update is for fixing:
CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP headers when clients are being redirected to another origin. A remote attacker could use this issue to obtain sensitive information.
CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH handshake data on connection establishments. A remote attacker could use this issue to cause Twisted to crash, resulting in a denial of service.

GHSA-rv6r-3f5q-9rgx
The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier.

GHSA-c2jg-hw38-jrqq and CVE-2022-24801
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230

GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage, twisted.web.client.downladPage, and the associated implementation classes (HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader) have been removed because they do not segregate cookies by domain. They were deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent.
=====================
Comment 18 Thomas Andrews 2022-05-11 13:59:13 CEST
Validating. Advisory in Comment 17.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-11 23:17:01 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 19 Mageia Robot 2022-05-12 12:25:55 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0168.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.