svn commit: r532266 - head/security/vuxml

Danilo G. Baio dbaio at FreeBSD.org
Tue Apr 21 12:25:02 UTC 2020 

Author: dbaio
Date: Tue Apr 21 12:25:01 2020
New Revision: 532266
URL: https://svnweb.freebsd.org/changeset/ports/532266

Log:
  security/vuxml: Document devel/py-twisted vulnerabilities
  
  PR:		245252
  Submitted by:	Sascha Biberhofer <ports at skyforge.at>
  Reported by:	contact at evilham.com

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Apr 21 12:05:23 2020	(r532265)
+++ head/security/vuxml/vuln.xml	Tue Apr 21 12:25:01 2020	(r532266)
@@ -58,6 +58,59 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="9fbaefb3-837e-11ea-b5b4-641c67a117d8">
+    <topic>py-twisted -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>py27-twisted</name>
+	<name>py35-twisted</name>
+	<name>py36-twisted</name>
+	<name>py37-twisted</name>
+	<name>py38-twisted</name>
+	<range><lt>20.3.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Twisted developers reports:</p>
+	<blockquote cite="https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst">
+	<p>All HTTP clients in twisted.web.client now raise a ValueError when
+	called with a method and/or URL that contain invalid characters. This
+	mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this
+	vulnerability.</p>
+	<p>The HTTP/2 server implementation now enforces TCP flow control on
+	control frame messages and times out clients that send invalid data
+	without reading responses. This closes CVE-2019-9512 (Ping Flood),
+	CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks
+	to Jonathan Looney and Piotr Sikora.</p>
+	<p>twisted.web.http was subject to several request smuggling attacks.
+	Requests with multiple Content-Length headers were allowed
+	(CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu
+	for reporting this) and now fail with a 400; requests with a
+	Content-Length header and a Transfer-Encoding header honored the first
+	header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for
+	reporting this) and now fail with a 400; requests whose
+	Transfer-Encoding header had a value other than "chunked" and
+	"identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst</url>
+      <cvename>CVE-2019-12387</cvename>
+      <cvename>CVE-2019-9512</cvename>
+      <cvename>CVE-2019-9514</cvename>
+      <cvename>CVE-2019-9515</cvename>
+      <cvename>CVE-2020-10108</cvename>
+      <cvename>CVE-2020-10109</cvename>
+      <freebsdpr>ports/245252</freebsdpr>
+    </references>
+    <dates>
+      <discovery>2019-03-01</discovery>
+      <entry>2020-04-21</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="3d7dfd63-823b-11ea-b3a8-240a644dd835">
     <topic>Client/server denial of service when handling AES-CTR ciphers</topic>
     <affects>

More information about the svn-ports-all mailing list