{"id":"MGASA-2022-0168","summary":"Updated python-twisted packages fix security vulnerability","details":"CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP\nheaders when clients are being redirected to another origin. A remote\nattacker could use this issue to obtain sensitive information.\nCVE-2022-21716: It was discovered that Twisted incorrectly processed SSH\nhandshake data on connection establishments. A remote attacker could use\nthis issue to cause Twisted to crash, resulting in a denial of service.\n\nGHSA-rv6r-3f5q-9rgx\nThe Twisted SSH client and server implementation naively accepted an\ninfinite amount of data for the peer's SSH version identifier.\n\nGHSA-c2jg-hw38-jrqq and CVE-2022-24801\nThe Twisted Web HTTP 1.1 server, located in the twisted.web.http module,\nparsed several HTTP request constructs more leniently than permitted by\nRFC 7230\n\nGHSA-92x2-jw7w-xvvx: twisted.web.client.getPage,\ntwisted.web.client.downladPage, and the associated implementation classes\n(HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader)\nhave been removed because they do not segregate cookies by domain. They\nwere deprecated in Twisted 16.7.0 in favor of twisted.web.client.Agent.\n","modified":"2026-04-16T00:11:11.831174921Z","published":"2022-05-12T10:24:45Z","upstream":["CVE-2022-21712","CVE-2022-21716"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0168.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30067"},{"type":"WEB","url":"https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html"},{"type":"WEB","url":"https://www.debian.org/lts/security/2022/dla-2927"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/"},{"type":"WEB","url":"https://www.debian.org/lts/security/2022/dla-2938"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5354-1"},{"type":"WEB","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/"}],"affected":[{"package":{"name":"python-automat","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-automat?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.8.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0168.json"}},{"package":{"name":"python-incremental","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-incremental?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"21.3.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0168.json"}},{"package":{"name":"python-twisted","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-twisted?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.4.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0168.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}