Your message dated Mon, 30 Jan 2023 15:37:54 +0000
with message-id <[email protected]>
and subject line Bug#1023359: fixed in twisted 22.4.0-4
has caused the Debian Bug report #1023359,
regarding twisted: CVE-2022-39348: NameVirtualHost Host header injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1023359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: twisted
Version: 22.4.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 20.3.0-7+deb11u1
Control: found -1 20.3.0-7
Hi,
The following vulnerability was published for twisted.
CVE-2022-39348[0]:
| Twisted is an event-based framework for internet applications. Started
| with version 0.9.4, when the host header does not match a configured
| host `twisted.web.vhost.NameVirtualHost` will return a `NoResource`
| resource which renders the Host header unescaped into the 404 response
| allowing HTML and script injection. In practice this should be very
| difficult to exploit as being able to modify the Host header of a
| normal HTTP request implies that one is already in a privileged
| position. This issue was fixed in version 22.10.0rc1. There are no
| known workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39348
https://www.cve.org/CVERecord?id=CVE-2022-39348
[1] https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
[2]
https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: twisted
Source-Version: 22.4.0-4
Done: Jochen Sprickerhof <[email protected]>
We believe that the bug you reported is fixed in the latest version of
twisted, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <[email protected]> (supplier of updated twisted package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Jan 2023 16:12:17 +0100
Source: twisted
Architecture: source
Version: 22.4.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Jochen Sprickerhof <[email protected]>
Closes: 1023359 1029579
Changes:
twisted (22.4.0-4) unstable; urgency=medium
.
* Team upload.
* Add upstream patch for Python 3.11 (Closes: #1029579)
* Add upstream patch for CVE-2022-39348 (Closes: #1023359)
Checksums-Sha1:
5977e5206c16858cc737c90e655079af38e26bc4 2390 twisted_22.4.0-4.dsc
19ab0f1d26ab31b73ca0c079e78e73e94f06f749 49512 twisted_22.4.0-4.debian.tar.xz
0b78b9dfb071be841963aaa721e24308cf4ade04 6664 twisted_22.4.0-4_source.buildinfo
Checksums-Sha256:
75054c5b711936a7e5255c420199a589d3cde0c33cba8d7791516abcc85dbeb0 2390
twisted_22.4.0-4.dsc
2d7cb4a2c5f9923aa4ae5e198d2e3a33ea9847bc2a4e0b898d4b3cd9264a39d9 49512
twisted_22.4.0-4.debian.tar.xz
e8238812bfc254d90817a0214a724364de3f7c5a2458a8eeef9d7ed76a898f85 6664
twisted_22.4.0-4_source.buildinfo
Files:
53e582805ed5608b7867d0e00dda0d7f 2390 python optional twisted_22.4.0-4.dsc
98c540b79ec18d83f8abc8196f69052f 49512 python optional
twisted_22.4.0-4.debian.tar.xz
26e1788a5eb36dc01d913f36ebfdd598 6664 python optional
twisted_22.4.0-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmPX4FMACgkQW//cwljm
lDMOQQ//enGMwAq0nvjcTNfuH1xEw1gJFdPPb4gThZZRMWzfRkcQ4Egg4X+BmcZ0
h8yZbZpGjdyTLLy3IvC3Zd6VQFhgSOhrzTgv+fcoYrqs4IL7FMg49eUSr5hlRcKC
bV5dwAsjAXCS6BUKZfeE7OHStLPn/GoDGf4BNpbn/Qz6gxa8r0dX4rIQvriGOjSm
nGol15cjxumdcTeZijf5HlwHwjbHXa2NfSxHC+BH25VIGGEqgS51LcCW34DBXlaf
JJqDu0I2jcRUFQr4uXZoVfEDi3VkYeVRE7cv08myglxv2UKcpPNcEe9rpE6UDW4v
v6mqdCPrKm+4xRakFxpp2BqnseRwHJvx2ChiLgUSPGo3Hz/PtgJGmKAO0uohpjs2
Wjbam1ia3jgW0g+YHUM0nqefZglvmIQmJoFYfyOsdPtM16I6Ds4S8Tuww9UeWYen
DbZ/DswU+1aOooJOD34bR+qXrcz2bJ4H3ryuBzwxoMINtqO5leoyYafakkiOEG0v
tSLgBTMBIFNHSL4vojhffuqc4rVItiIcUdOX7FVFMh9BCriFtfiJK0ziDP0RitLq
ytswVQQIIb9m+MKfpXhxtzFsTdMiS1oefnamKPq1vVtYznBeGVb1b0d8gSyhxxfE
PJLi0bsmb3iPXsJG26p4vn4qPKxBS/Fe6JsjlkWqAh5KAPVJKW4=
=Sk1E
-----END PGP SIGNATURE-----
--- End Message ---
