On Tue, Aug 09, 2016 at 06:24:40PM +1000, Brian May wrote: > Salvatore Bonaccorso <[email protected]> writes: > > > Hi, > > > > Just a quick comment on: > > > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > >> I am inclined to say that no version of twisted, by itself, has this > >> vulnerability. However like I said earlier it is possible that > >> applications that use twisted have this vulnerability. > > > > Looking at the upstream ticket > > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted > > 16.3.1 will have something to help mitigating the issue in application > > that use twisted. > > I believe this is the upstream patch: > > https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165 > > Looks like it removes CGI support. > > Hmmm. My test was flawed, I don't think I tested CGI. I imagine the > results would be the same however. > > > For Jessie, we do not plan to release any DSA related to this for > > src:twisted. Don't know if you want to follow that on LTS side. > > Yes, I tend to agree. Don't much like the idea of removing a feature in > what is suppose to be a stable distribution. > > Then again, scratch that, looks like none of the files patched exist in > the wheezy version anyway... > > But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - > and twisted/web/twcgi.py is in the upstream git repository for the > twisted-12.0.0 tag. > > Oh, I see, it looks like the source was split up for the Debian > packaging. So the twisted-web source contains the file in question, not > the twisted package.
Thanks for having a look! I've added twisted-web to dla-needed.txt as well (Salvatore already updated data/CVE/list). Cheers, -- Guido
