twisted has just released a vulnerabilty report: https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7
which says "The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure." twisted upstream says they aren't making a patch release with just the fix on top of the previous stable, but instead are going through an RC process with other accumulated changes: https://github.com/twisted/twisted/issues/12271 which will probably take another 5 days. More importantly, it's going to be awkward for packaging systems which want security bugfixes and not new features. (I'm not running any tahoe servers this minute, so this is just me asking questions in the hopes it is useful.) - Is tahoe affected by this pipelining bug, or rather are tahoe installations in practice configured in such a way that there could be problems? - It seems the world is moving from twisted to regular async, and I wonder if there is any long-term plan for that. _______________________________________________ tahoe-dev mailing list tahoe-dev@lists.tahoe-lafs.org https://lists.tahoe-lafs.org/mailman/listinfo/tahoe-dev
