This security vulnerability is described here: https://bugzilla.redhat.com/show_bug.cgi?id=1357345
as: "sets environmental variable based on user supplied Proxy request header" In particular it is talking about HTTP_PROXY, and it only a problem if the server makes an outgoing HTTP request using this value. Looking at this, I am inclined to say this isn't a security issue in twisted itself, rather some unspecified applications that use twisted. Just trying to double check this. I can't find any references (case-insensitive) of "HTTP_PROXY" in the twisted source however. This appears to be confirmed by the first sentence in the redhat bug report: "Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value." There are a number of projects in Debian that use twisted, should we check each one? Sure would be good if I had an example application that was confirmed vulnerable. -- Brian May <b...@debian.org>
