Bug 33807 - python-twisted new security issues CVE-2023-46137, CVE-2024-41671 and CVE-2024-41810
Summary: python-twisted new security issues CVE-2023-46137, CVE-2024-41671 and CVE-202...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-11-27 16:02 CET by Nicolas Salguero
Modified: 2025-02-12 07:38 CET (History)
3 users (show)

See Also:
Source RPM: python-twisted-22.10.0-2.mga9.src.rpm
CVE: CVE-2023-46137, CVE-2024-41671, CVE-2024-41810
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-11-27 16:02:53 CET

Source RPM: (none) => python-twisted-24.3.0-1.mga10.src.rpm, python-twisted-22.10.0-2.mga9.src.rpm
Status comment: (none) => Patch available from Ubuntu and upstream
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-41671

Comment 1 Lewis Smith 2024-11-27 21:13:09 CET 
Thank you again for the patch URL.
Assigning to Python maintainers.

Assignee: bugsquad => python

Nicolas Salguero 2025-02-10 15:25:33 CET

Summary: python-twisted new security issue CVE-2024-41671 => python-twisted new security issues CVE-2024-41671 and CVE-2024-41810

Nicolas Salguero 2025-02-10 15:25:43 CET

CVE: CVE-2024-41671 => CVE-2024-41671, CVE-2024-41810

Nicolas Salguero 2025-02-10 15:33:00 CET

Summary: python-twisted new security issues CVE-2024-41671 and CVE-2024-41810 => python-twisted new security issues CVE-2023-46137, CVE-2024-41671 and CVE-2024-41810
CVE: CVE-2024-41671, CVE-2024-41810 => CVE-2023-46137, CVE-2024-41671, CVE-2024-41810

Comment 2 Nicolas Salguero 2025-02-10 15:49:06 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Twisted.web has disordered HTTP pipeline response. (CVE-2023-46137)

Twisted.web has disordered HTTP pipeline response. (CVE-2024-41671)

HTML injection in HTTP redirect body. (CVE-2024-41810)

References:
https://ubuntu.com/security/notices/USN-6575-1
https://ubuntu.com/security/notices/USN-6988-1
https://ubuntu.com/security/notices/USN-6988-2
========================

Updated packages in core/updates_testing:
========================
python3-twisted+tls-22.10.0-2.1.mga9
python3-twisted-22.10.0-2.1.mga9

from SRPM:
python-twisted-22.10.0-2.1.mga9.src.rpm

Status comment: Patch available from Ubuntu and upstream => (none)
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: python-twisted-24.3.0-1.mga10.src.rpm, python-twisted-22.10.0-2.mga9.src.rpm => python-twisted-22.10.0-2.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: python => qa-bugs

katnatek 2025-02-10 20:25:46 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-02-11 15:11:15 CET 
MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Tried to test by opening kajong. It opens and dialogue for users can be opened. Skipped that and some playgrond opens with 3 talking robots around. They do things which I do not understand and cann't be bothered to delve into.
So looking at previous bugs 30067 and 31140, this should be good enough to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2025-02-11 16:32:33 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-02-12 07:38:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0054.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.