Date: Tue, 21 Apr 2020 12:25:01 +0000 (UTC) From: "Danilo G. Baio" <dbaio@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r532266 - head/security/vuxml Message-ID: <202004211225.03LCP1PU020965@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dbaio Date: Tue Apr 21 12:25:01 2020 New Revision: 532266 URL: https://svnweb.freebsd.org/changeset/ports/532266 Log: security/vuxml: Document devel/py-twisted vulnerabilities PR: 245252 Submitted by: Sascha Biberhofer <ports@skyforge.at> Reported by: contact@evilham.com Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Apr 21 12:05:23 2020 (r532265) +++ head/security/vuxml/vuln.xml Tue Apr 21 12:25:01 2020 (r532266) @@ -58,6 +58,59 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="9fbaefb3-837e-11ea-b5b4-641c67a117d8"> + <topic>py-twisted -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py27-twisted</name> + <name>py35-twisted</name> + <name>py36-twisted</name> + <name>py37-twisted</name> + <name>py38-twisted</name> + <range><lt>20.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Twisted developers reports:</p> + <blockquote cite="https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst">; + <p>All HTTP clients in twisted.web.client now raise a ValueError when + called with a method and/or URL that contain invalid characters. This + mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this + vulnerability.</p> + <p>The HTTP/2 server implementation now enforces TCP flow control on + control frame messages and times out clients that send invalid data + without reading responses. This closes CVE-2019-9512 (Ping Flood), + CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks + to Jonathan Looney and Piotr Sikora.</p> + <p>twisted.web.http was subject to several request smuggling attacks. + Requests with multiple Content-Length headers were allowed + (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu + for reporting this) and now fail with a 400; requests with a + Content-Length header and a Transfer-Encoding header honored the first + header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for + reporting this) and now fail with a 400; requests whose + Transfer-Encoding header had a value other than "chunked" and + "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst</url>; + <cvename>CVE-2019-12387</cvename> + <cvename>CVE-2019-9512</cvename> + <cvename>CVE-2019-9514</cvename> + <cvename>CVE-2019-9515</cvename> + <cvename>CVE-2020-10108</cvename> + <cvename>CVE-2020-10109</cvename> + <freebsdpr>ports/245252</freebsdpr> + </references> + <dates> + <discovery>2019-03-01</discovery> + <entry>2020-04-21</entry> + </dates> + </vuln> + <vuln vid="3d7dfd63-823b-11ea-b3a8-240a644dd835"> <topic>Client/server denial of service when handling AES-CTR ciphers</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004211225.03LCP1PU020965>