Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2145-1 twisted

Debian Security Advisory

DLA-2145-1 twisted -- LTS security update

Date Reported:

17 Mar 2020

Affected Packages:

twisted

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-10108, CVE-2020-10109.

More information:

It was discovered that there were a number of HTTP request splitting vulnerabilities in Twisted, an Python event-based framework for building various types of internet applications.

For more information, please see the upstream advisory.

• CVE-2020-10108

  In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

• CVE-2020-10109

  In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

For Debian 8 Jessie, these problems have been fixed in version 14.0.2-3+deb8u1.

We recommend that you upgrade your twisted packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS