Your message dated Mon, 23 Mar 2020 20:57:24 +0000 with message-id <e1jgu8s-000gyu...@fasolo.debian.org> and subject line Bug#930626: fixed in twisted 18.9.0-7 has caused the Debian Bug report #930626, regarding twisted: CVE-2019-12855 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930626 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: twisted Version: 18.9.0-3 Severity: important Tags: security upstream Forwarded: https://twistedmatrix.com/trac/ticket/9561 Hi, The following vulnerability was published for twisted. CVE-2019-12855[0]: | In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP | support did not verify certificates when used with TLS, allowing an | attacker to MITM connections. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12855 [1] https://twistedmatrix.com/trac/ticket/9561 [2] https://github.com/twisted/twisted/pull/1147 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: twisted Source-Version: 18.9.0-7 Done: Andrej Shadura <andre...@debian.org> We believe that the bug you reported is fixed in the latest version of twisted, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura <andre...@debian.org> (supplier of updated twisted package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2020 20:49:21 +0100 Source: twisted Architecture: source Version: 18.9.0-7 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Andrej Shadura <andre...@debian.org> Closes: 930389 930626 948560 953950 Changes: twisted (18.9.0-7) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Closes: #930389 * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Closes: #930626 * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Closes: #953950 . [ Emmanuel Arias ] * Add patch to fix SyntaxWarning (Closes: #948560). Checksums-Sha1: 3c43921a889a3b58ff635de0d4380641452a2d18 3363 twisted_18.9.0-7.dsc 7e45bebe2aa6dccd1fcdcc3b5d93a21a1395adee 41712 twisted_18.9.0-7.debian.tar.xz Checksums-Sha256: b97af62d2b050c3702f88e603ae488d45618bc3a389ffb0bc8099fb52752d90b 3363 twisted_18.9.0-7.dsc fb428c0256ff81fc2e03815e511151a4c6f1fac7c4330b12388e7a466acdb13d 41712 twisted_18.9.0-7.debian.tar.xz Files: 09212cffe8e7d2f6acabc567fe2fac02 3363 python optional twisted_18.9.0-7.dsc 1284d646560c4ca87c8979f893d02859 41712 python optional twisted_18.9.0-7.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl55EvkACgkQXkCM2RzY OdKz7Af/Rrni523VhMNJP7r2XieyoYcBDG7wflZQZxvn7xa8N2ZBKmjCsiJRCOEf 9mKMWD/MqkiG7SejeCg9y0F2xWNGEjDuFfpoxoRoCsmyesNfMZS6Cs46wvOZ8kIe KNAmsTbsU9JJ/KtiJRAgi0dL3zKyI/ir+t3w3TaA1jzO1l563+o3ugP84YwEl13R gOG/YhkKw1lCalgtm5gBJizXYXno2sA8Ho97GIqCT/mnzwcw/Bz9wglAwpoiiZ11 +YLOzwvcYoXO9iXa3Vm++Jrov/3JWFG86KlSTa5N5+pXej87N1le/UpF5MokWrYA rCu9SPcPi5uIZC3qeOEEPOic5b3x3A== =wT0s -----END PGP SIGNATURE-----
--- End Message ---
