ELA-896-1 twisted security update
Package : twisted
Version : 14.0.2-3+deb8u6 (jessie), 16.6.0-2+deb9u4 (stretch)
Related CVEs :
Multiple vulnerabilities were discovered in Twisted, an event-based framework for internet applications written in Python. An attacker may initiate request smuggling, Man-In-The-Middle (MITM) communication interception and cross-site-scripting (XSS).
twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
When the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position.
A twisted security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address multiple vulnerabilities.