Salvatore Bonaccorso <car...@debian.org> writes: > Hi, > > Just a quick comment on: > > On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: >> I am inclined to say that no version of twisted, by itself, has this >> vulnerability. However like I said earlier it is possible that >> applications that use twisted have this vulnerability. > > Looking at the upstream ticket > https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted > 16.3.1 will have something to help mitigating the issue in application > that use twisted.
I believe this is the upstream patch: https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165 Looks like it removes CGI support. Hmmm. My test was flawed, I don't think I tested CGI. I imagine the results would be the same however. > For Jessie, we do not plan to release any DSA related to this for > src:twisted. Don't know if you want to follow that on LTS side. Yes, I tend to agree. Don't much like the idea of removing a feature in what is suppose to be a stable distribution. Then again, scratch that, looks like none of the files patched exist in the wheezy version anyway... But there is a reference to twisted/web/twcgi.py in ./ChangeLog.Old - and twisted/web/twcgi.py is in the upstream git repository for the twisted-12.0.0 tag. Oh, I see, it looks like the source was split up for the Debian packaging. So the twisted-web source contains the file in question, not the twisted package. -- Brian May <b...@debian.org>
