Bug#930626: marked as done (twisted: CVE-2019-12855)
Your message dated Mon, 23 Mar 2020 20:57:24 + with message-id and subject line Bug#930626: fixed in twisted 18.9.0-7 has caused the Debian Bug report #930626, regarding twisted: CVE-2019-12855 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930626 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: twisted Version: 18.9.0-3 Severity: important Tags: security upstream Forwarded: https://twistedmatrix.com/trac/ticket/9561 Hi, The following vulnerability was published for twisted. CVE-2019-12855[0]: | In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP | support did not verify certificates when used with TLS, allowing an | attacker to MITM connections. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12855 [1] https://twistedmatrix.com/trac/ticket/9561 [2] https://github.com/twisted/twisted/pull/1147 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: twisted Source-Version: 18.9.0-7 Done: Andrej Shadura We believe that the bug you reported is fixed in the latest version of twisted, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura (supplier of updated twisted package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2020 20:49:21 +0100 Source: twisted Architecture: source Version: 18.9.0-7 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team Changed-By: Andrej Shadura Closes: 930389 930626 948560 953950 Changes: twisted (18.9.0-7) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Closes: #930389 * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Closes: #930626 * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Closes: #953950 . [ Emmanuel Arias ] * Add patch to fix SyntaxWarning (Closes: #948560). Checksums-Sha1: 3c43921a889a3b58ff635de0d4380641452a2d18 3363 twisted_18.9.0-7.dsc 7e45bebe2aa6dccd1fcdcc3b5d93a21a1395adee 41712 twisted_18.9.0-7.debian.tar.xz Checksums-Sha256: b97af62d2b050c3702f88e603ae488d45618bc3a389ffb0bc8099fb52752d90b 3363 twisted_18.9.0-7.dsc fb428c0256ff81fc2e03815e511151a4c6f1fac7c4330b12388e7a466acdb13d 41712 twisted_18.9.0-7.debian.tar.xz Files: 09212cffe8e7d2f6acabc567fe2fac02 3363 python optional twisted_18.9.0-7.dsc 1284d646560c4ca87c8979f893d02859 41712 python optional twisted_18.9.0-7.debian.tar.xz -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl55EvkACgkQXkCM2RzY
Bug#930626: marked as done (twisted: CVE-2019-12855)
Your message dated Mon, 23 Mar 2020 20:57:36 + with message-id and subject line Bug#930626: fixed in twisted 18.9.0-8 has caused the Debian Bug report #930626, regarding twisted: CVE-2019-12855 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930626 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: twisted Version: 18.9.0-3 Severity: important Tags: security upstream Forwarded: https://twistedmatrix.com/trac/ticket/9561 Hi, The following vulnerability was published for twisted. CVE-2019-12855[0]: | In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP | support did not verify certificates when used with TLS, allowing an | attacker to MITM connections. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12855 [1] https://twistedmatrix.com/trac/ticket/9561 [2] https://github.com/twisted/twisted/pull/1147 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: twisted Source-Version: 18.9.0-8 Done: Andrej Shadura We believe that the bug you reported is fixed in the latest version of twisted, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrej Shadura (supplier of updated twisted package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2020 21:14:09 +0100 Source: twisted Architecture: source Version: 18.9.0-8 Distribution: unstable Urgency: high Maintainer: Debian Python Modules Team Changed-By: Andrej Shadura Closes: 930389 930626 948560 953950 Changes: twisted (18.9.0-8) unstable; urgency=high . * A no-change upload to set urgency to high since the upload fixes security issues. . twisted (18.9.0-7) unstable; urgency=medium . [ Marc Deslauriers ] * SECURITY UPDATE: incorrect URI and HTTP method validation - debian/patches/CVE-2019-12387.patch: prevent CRLF injections in src/twisted/web/_newclient.py, src/twisted/web/client.py, src/twisted/web/test/injectionhelpers.py, src/twisted/web/test/test_agent.py, src/twisted/web/test/test_webclient.py. - CVE-2019-12387 - Closes: #930389 * SECURITY UPDATE: incorrect cert validation in XMPP support - debian/patches/CVE-2019-12855-*.patch: upstream patches to implement certificate checking. - CVE-2019-12855 - Closes: #930626 * SECURITY UPDATE: HTTP/2 denial of service issues - debian/patches/CVE-2019-951x.patch: buffer outbound control frames and timeout invalid clients in src/twisted/web/_http2.py, src/twisted/web/error.py, src/twisted/web/http.py, src/twisted/web/test/test_http.py, src/twisted/web/test/test_http2.py. - CVE-2019-9511 - CVE-2019-9514 - CVE-2019-9515 * SECURITY UPDATE: request smuggling attacks - debian/patches/CVE-2020-1010x-pre1.patch: refactor to reduce duplication in src/twisted/web/test/test_http.py. - debian/patches/CVE-2020-1010x.patch: fix several request smuggling attacks in src/twisted/web/http.py, src/twisted/web/test/test_http.py. - CVE-2020-10108 - CVE-2020-10109 - Closes: #953950 . [ Emmanuel Arias ] * Add patch to fix SyntaxWarning (Closes: #948560). . [ Moritz Muehlenhoff ] * Remove Suggests on python-gtk2/python-glade2, which is being removed. Checksums-Sha1: 240d4f043a58ca6a557561a43364f61ff57324cd 3363 twisted_18.9.0-8.dsc 1919f66c3d525e6b0e94b07bf8a419c208d5270c 41776 twisted_18.9.0-8.debian.tar.xz Checksums-Sha256: 53083bd6a882bc1dc919b9fed4647c4d9d9356aea18cbdc5ec0de280dea09d3d 3363 twisted_18.9.0-8.dsc 820329295f00727ed2aed992adc841c13adf8d54425bfbb04a37941d344fc9ba 41776 twisted_18.9.0-8.debian.tar.xz Files: 03a3587d903c592ad422874ee88eb66d 3363 python