#33836: Require Twisted 20.3.0 in gettor's requirements.txt -------------------------------------+-------------------- Reporter: teor | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/GetTor | Version: Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | -------------------------------------+-------------------- Twisted has a HTTP request splitting vulnerability, GetTor is probably affected.
Please update your requirements.txt to depend on Twisted 20.3.0 or later. (And any downstream packages.) The GitHub alert is: https://github.com/torproject/gettor/network/alert/requirements.txt/Twisted/open The relevant CVEs are: CVE-2020-10108 https://github.com/advisories/GHSA-h96w-mmrf-2h6v CVE-2020-10109 https://github.com/advisories/GHSA-p5xh-vx83-mxcj -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33836> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs