- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3970-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 28, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : twisted
Version        : 20.3.0-7+deb11u2
CVE ID         : CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810
Debian Bug     : 1023359 1054913 1077679 1077680

Multiple security issues were found in Twisted, an event-based framework
for internet applications, which could result in incorrect ordering of
HTTP requests or cross-site scripting.

CVE-2022-39348

    When the host header does not match a configured host
    `twisted.web.vhost.NameVirtualHost` will return a `NoResource`
    resource which renders the Host header unescaped into the 404
    response allowing HTML and script injection. In practice this
    should be very difficult to exploit as being able to modify the
    Host header of a normal HTTP request implies that one is already
    in a privileged position.

CVE-2023-46137

    When sending multiple HTTP requests in one TCP packet, twisted.web
    will process the requests asynchronously without guaranteeing the
    response order. If one of the endpoints is controlled by an
    attacker, the attacker can delay the response on purpose to
    manipulate the response of the second request when a victim
    launched two requests using HTTP pipeline.

CVE-2024-41671

    The HTTP 1.0 and 1.1 server provided by twisted.web could process
    pipelined HTTP requests out-of-order, possibly resulting in
    information disclosure.

CVE-2024-41810

    The `twisted.web.util.redirectTo` function contains an HTML
    injection vulnerability. If application code allows an attacker to
    control the redirect URL this vulnerability may result in
    Reflected Cross-Site Scripting (XSS) in the redirect response HTML
    body.

For Debian 11 bullseye, these problems have been fixed in version
20.3.0-7+deb11u2.

We recommend that you upgrade your twisted packages.

For the detailed security status of twisted please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twisted

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3970-1: twisted Security Advisory Updates

November 28, 2024
Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scriptin...

Summary

CVE-2022-39348

When the host header does not match a configured host
`twisted.web.vhost.NameVirtualHost` will return a `NoResource`
resource which renders the Host header unescaped into the 404
response allowing HTML and script injection. In practice this
should be very difficult to exploit as being able to modify the
Host header of a normal HTTP request implies that one is already
in a privileged position.

CVE-2023-46137

When sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the
response order. If one of the endpoints is controlled by an
attacker, the attacker can delay the response on purpose to
manipulate the response of the second request when a victim
launched two requests using HTTP pipeline.

CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in
information disclosure.

CVE-2...

Read the Full Advisory


Severity
Package : twisted
Version : 20.3.0-7+deb11u2
CVE ID : CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810
Debian Bug : 1023359 1054913 1077679 1077680

Related News

Linux 6.11 EOL: Upgrade to 6.12 for Security and Performance Benefits
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Census III Report: Key Strategies for Linux Security Enhancement
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
Qt 6.8.1: Essential Fixes for Wayland and Security Issues
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Arch Linux 2024.12.01: Improved Hardware Support and Security Features
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Linux Kernel 6.13: Security Updates Enhance System Resilience
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Protect Linux Systems from Bootkitty: UEFI Bootkit Defense Strategies
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved