On Wed, Jan 14, 2026 at 9:02 PM Ankur Tyagi via lists.openembedded.org <[email protected]> wrote: > > From: Ankur Tyagi <[email protected]> > > Details: https://nvd.nist.gov/vuln/detail/CVE-2024-41810 > > Signed-off-by: Ankur Tyagi <[email protected]> > --- > .../python3-twisted/CVE-2024-41810.patch | 33 +++++++++++++++++++ > .../python/python3-twisted_24.3.0.bb | 1 + > 2 files changed, 34 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch > > diff --git > a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch > b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch > new file mode 100644 > index 0000000000..0c195be23a > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch > @@ -0,0 +1,33 @@ > +From 50ddc840e1518edacbd8b26d246f15255bb5498e Mon Sep 17 00:00:00 2001 > +From: Adi Roiban <[email protected]> > +Date: Mon, 29 Jul 2024 14:28:03 +0100 > +Subject: [PATCH] Merge commit from fork > + > +Added HTML output encoding the "URL" parameter of the "redirectTo" function > + > +CVE: CVE-2024-41810 > +Upstream-Status: Backport > [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33] > +(cherry picked from commit 046a164f89a0f08d3239ecebd750360f8914df33) > +Signed-off-by: Ankur Tyagi <[email protected]> > +--- > + src/twisted/web/newsfragments/12263.bugfix | 1 + > + src/twisted/web/newsfragments/9839.bugfix | 1 +
This doesn't look correct and comparing to the original commit, is missing the fix. Please also include the changes done to the commit when backporting. > + 2 files changed, 2 insertions(+) > + create mode 100644 src/twisted/web/newsfragments/12263.bugfix > + create mode 100644 src/twisted/web/newsfragments/9839.bugfix > + > +diff --git a/src/twisted/web/newsfragments/12263.bugfix > b/src/twisted/web/newsfragments/12263.bugfix > +new file mode 100644 > +index 0000000000..b3982ca0fb > +--- /dev/null > ++++ b/src/twisted/web/newsfragments/12263.bugfix > +@@ -0,0 +1 @@ > ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the > fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being > tracked with CVE-2024-41810. > +\ No newline at end of file > +diff --git a/src/twisted/web/newsfragments/9839.bugfix > b/src/twisted/web/newsfragments/9839.bugfix > +new file mode 100644 > +index 0000000000..1e2e7f7298 > +--- /dev/null > ++++ b/src/twisted/web/newsfragments/9839.bugfix > +@@ -0,0 +1 @@ > ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the > fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). > diff --git a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb > b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb > index 272aecb8b0..d90bdb227f 100644 > --- a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb > +++ b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb > @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = > "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5" > SRC_URI += " \ > file://CVE-2024-41671-0001.patch \ > file://CVE-2024-41671-0002.patch \ > + file://CVE-2024-41810.patch \ > " > > SRC_URI[sha256sum] = > "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123582): https://lists.openembedded.org/g/openembedded-devel/message/123582 Mute This Topic: https://lists.openembedded.org/mt/117260246/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
