twisted vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 19.10
* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Twisted.

Software Description

* twisted - Event-based framework for internet applications

Details

it was discovered that Twisted incorrectly validated or sanitized
certain URIs or HTTP methods. A remote attacker could use this
issue to inject invalid characters and possibly perform header
injection attacks. (CVE-2019-12387)

It was discovered that Twisted incorrectly verified XMPP TLS
certificates. A remote attacker could possibly use this issue to
perform a man-in-the-middle attack and obtain sensitive
information. (CVE-2019-12855)

It was discovered that Twisted incorrectly handled HTTP/2
connections. A remote attacker could possibly use this issue to
cause Twisted to hang or consume resources, leading to a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu
19.10. (CVE-2019-9512, CVE-2019-9514, CVE-2019-9515)

Jake Miller and ZeddYu Lu discovered that Twisted incorrectly
handled certain content-length headers. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2020-10108, CVE-2020-10109)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 19.10
python-twisted - 18.9.0-3ubuntu1.1
python-twisted-bin - 18.9.0-3ubuntu1.1
python-twisted-web - 18.9.0-3ubuntu1.1
python3-twisted - 18.9.0-3ubuntu1.1
python3-twisted-bin - 18.9.0-3ubuntu1.1

Ubuntu 18.04 LTS
python-twisted - 17.9.0-2ubuntu0.1
python-twisted-bin - 17.9.0-2ubuntu0.1
python-twisted-web - 17.9.0-2ubuntu0.1
python3-twisted - 17.9.0-2ubuntu0.1
python3-twisted-bin - 17.9.0-2ubuntu0.1

Ubuntu 16.04 LTS
python-twisted - 16.0.0-1ubuntu0.4
python-twisted-bin - 16.0.0-1ubuntu0.4
python-twisted-web - 16.0.0-1ubuntu0.4
python3-twisted - 16.0.0-1ubuntu0.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* CVE-2019-12387
* CVE-2019-12855
* CVE-2019-9512
* CVE-2019-9514
* CVE-2019-9515
* CVE-2020-10108
* CVE-2020-10109

--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

twisted vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 14.04 ESM

Summary

Several security issues were fixed in Twisted.

Software Description

* twisted - Event-based framework for internet applications

Details

USN-4308-1 fixed several vulnerabilities in Twisted. This update
provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

it was discovered that Twisted incorrectly validated or sanitized
certain URIs or HTTP methods. A remote attacker could use this
issue to inject invalid characters and possibly perform header
injection attacks. (CVE-2019-12387)

It was discovered that Twisted incorrectly verified XMPP TLS
certificates. A remote attacker could possibly use this issue to
perform a man-in-the-middle attack and obtain sensitive
information. (CVE-2019-12855)

Jake Miller and ZeddYu Lu discovered that Twisted incorrectly
handled certain content-length headers. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2020-10108, CVE-2020-10109)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 14.04 ESM
python-twisted - 13.2.0-1ubuntu1.2+esm1
python-twisted-bin - 13.2.0-1ubuntu1.2+esm1
python-twisted-web - 13.2.0-1ubuntu1.2+esm1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary
changes.

References

* USN-4308-1
* CVE-2019-12387
* CVE-2019-12855
* CVE-2020-10108
* CVE-2020-10109

--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)