py-twisted vulnerability: anyone up for backporting

To: tech-pkg%netbsd.org@localhost
Subject: py-twisted vulnerability: anyone up for backporting
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Wed, 31 Jul 2024 08:54:55 -0400

twisted has just released a vulnerabilty report:

  https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7

which says

  "The HTTP 1.0 and 1.1 server provided by twisted.web could process
  pipelined HTTP requests out-of-order, possibly resulting in
  information disclosure."

I found out about this because matrix-synapse uses twisted, but it seems
that using nginx as a reverse proxy doesn't enable this attack because
it won't ever pipeline upstream requests.  But, probably it's a problem
someplace else; the history of vulns says that it's always worse than
you think.

tahoe-lafs also uses twisted (but I'm not running that).

twisted upstream appears troubled in that they aren't making a patch
release with just the fix on top of the previous stable, but instead are
going through an RC process with other accumulated changes:

  https://github.com/twisted/twisted/issues/12271

which will probably take another 5 days.

This situation seems well short of the justification needed to package
an RC (consider this a pre-emptive objection :-).

Also, this should be fixed on 2024Q2; pulling up a minor release seems
unwise.

It seems like this is the commit with the fix:

  https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc

Is anybody up for adding that as a patch, testing, committing, waiting a
few days, and submitting a pullup?

Prev by Date: rust-bin out of sync, thunderbird fails to build
Next by Date: Re: Removing built-in support for sqlite3
Previous by Thread: rust-bin out of sync, thunderbird fails to build
Next by Thread: rust on 32-bit arm
Indexes:

Home | Main Index | Thread Index | Old Index