FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-twisted -- multiple vulnerabilities

Affected packages
py27-twisted < 20.3.0
py35-twisted < 20.3.0
py36-twisted < 20.3.0
py37-twisted < 20.3.0
py38-twisted < 20.3.0


VuXML ID 9fbaefb3-837e-11ea-b5b4-641c67a117d8
Discovery 2019-03-01
Entry 2020-04-21

Twisted developers reports:

All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability.

The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora.

twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400.


CVE Name CVE-2019-12387
CVE Name CVE-2019-9512
CVE Name CVE-2019-9514
CVE Name CVE-2019-9515
CVE Name CVE-2020-10108
CVE Name CVE-2020-10109
FreeBSD PR ports/245252