SUSE has issued an advisory on November 15: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012932.html The issue is fixed upstream in 22.10.0rc1: https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647 Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 22.10.0rc1Whiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3MV43ZXUEM77YQ3H54TPOKIVOOABGJKI/
Debian-LTS has issued an advisory for this on November 28: https://www.debian.org/lts/security/2022/dla-3212
Cauldron is updated with 22.10.0
CC: (none) => yves.brungard_mageiaVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
Submitted: python3-twisted+tls-22.10.0-1.mga8 python3-twisted-22.10.0-1.mga8 Source: python-twisted-22.10.0-1.mga8
Assignee: python => qa-bugsStatus comment: Fixed upstream in 22.10.0rc1 => (none)Source RPM: python-twisted-22.4.0-1.mga9.src.rpm => (none)
Source RPM: (none) => python-twisted-22.4.0-1.mga8.src.rpm
Mageia8, x86_64 Updated the two packages and referring to bug 30067 played around with kajongg. The only problem there was the unauthorized login and wrong username. noethys launches fine - everything in French so not at all sure what it is about. It seems to be some sort of management tool for projects and organisations. There was a list of members. $ syncevolution --help syncevolution: error while loading shared libraries: libopenobex.so.2: cannot open shared object file: No such file or directory $ sudo urpmi libopenobex lib64openobex2-1.7.2-4.mga8 $ syncevolution --help List and manipulate databases: syncevolution --print-databases|--create-database|--remove-database [<properties>] [<config> <store>] This is all unfamiliar territory but the dependent applications open and run but they are not really being tested, apart from kajongg. A tentative OK for this.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Having to remove the OK because kajongg has stopped working. $ kajongg File "/usr/bin/kajongg", line 169, in <module> parseOptions() File "/usr/bin/kajongg", line 140, in parseOptions from query import initDb File "/usr/share/kajongg/query.py", line 36, in <module> from log import logInfo, logWarning, logException, logError, logDebug, id4 File "/usr/share/kajongg/log.py", line 34, in <module> from dialogs import Sorry, Information, NoPrompt File "/usr/share/kajongg/dialogs.py", line 26, in <module> from twisted.internet.defer import Deferred, succeed File "/usr/lib/python3.8/site-packages/twisted/internet/defer.py", line 42, in <module> from typing_extensions import Literal, ParamSpec, Protocol ImportError: cannot import name 'ParamSpec' from 'typing_extensions' (/usr/lib/python3.8/site-packages/typing_extensions.py)
Whiteboard: MGA8-64-OK => (none)
Hello Len I don't reproduce your error, but I have another one, when quitting a play: kajongg Unhandled Error Traceback (most recent call last): Failure: twisted.cred.error.UnauthorizedLogin: b'&&SERVER&&Wrong username: %1&&SERVER&&Yves&&SERVER&&' which implies twisted :( From within a python console, from typing_extensions import Literal, ParamSpec, Protocol is working fine. Which version of python3-typing_extensions do you have?
(In reply to papoteur from comment #7) > Hello Len > I don't reproduce your error, but I have another one, when quitting a play: > kajongg > Unhandled Error > Traceback (most recent call last): > Failure: twisted.cred.error.UnauthorizedLogin: b'&&SERVER&&Wrong username: > %1&&SERVER&&Yves&&SERVER&&' of python3-typing_extensions do you have? In fact, the problem is that I didn't defined an account. This is badly managed by kajongg, but this is not a defect of twisted.
Replying to papoteur, comments 7 and 8. Neither did I define an account so I saw the same exit message. $ rpm -q python3-typing_extensions python3-typing_extensions-3.7.4-4.mga8 Sounds like there is nothing fundamentally wrong so the OK goes back. Thanks Yves.
Whiteboard: (none) => MGA8-64-OK
Advisory: ================= Fix for CVE-2022-39348: When the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. =================
Validating. Advisory in Comment 10.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0061.html
Status: NEW => RESOLVEDResolution: (none) => FIXED