Advisories ยป MGASA-2022-0168

Updated python-twisted packages fix security vulnerability

Publication date: 12 May 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-21712 , CVE-2022-21716


CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP
headers when clients are being redirected to another origin. A remote
attacker could use this issue to obtain sensitive information.
CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH
handshake data on connection establishments. A remote attacker could use
this issue to cause Twisted to crash, resulting in a denial of service.

The Twisted SSH client and server implementation naively accepted an
infinite amount of data for the peer's SSH version identifier.

GHSA-c2jg-hw38-jrqq and CVE-2022-24801
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module,
parsed several HTTP request constructs more leniently than permitted by
RFC 7230

GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage,
twisted.web.client.downladPage, and the associated implementation classes
(HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader)
have been removed because they do not segregate cookies by domain. They
were deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent.