python-Twisted-doc-22.2.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11978 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-Twisted-doc-22.2.0-1.1 on GA media These are all security issues fixed in the python-Twisted-doc-22.2.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11978 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11978 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-21716/ SUSE CVE CVE-2022-21716 page https://www.suse.com/security/cve/CVE-2022-24801/ SUSE CVE CVE-2022-24801 page openSUSE Tumbleweed python-Twisted-doc-22.2.0-1.1 python310-Twisted-22.2.0-1.1 python38-Twisted-22.2.0-1.1 python39-Twisted-22.2.0-1.1 python-Twisted-doc-22.2.0-1.1 as a component of openSUSE Tumbleweed python310-Twisted-22.2.0-1.1 as a component of openSUSE Tumbleweed python38-Twisted-22.2.0-1.1 as a component of openSUSE Tumbleweed python39-Twisted-22.2.0-1.1 as a component of openSUSE Tumbleweed Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds. CVE-2022-21716 openSUSE Tumbleweed:python-Twisted-doc-22.2.0-1.1 openSUSE Tumbleweed:python310-Twisted-22.2.0-1.1 openSUSE Tumbleweed:python38-Twisted-22.2.0-1.1 openSUSE Tumbleweed:python39-Twisted-22.2.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21716.html CVE-2022-21716 https://bugzilla.suse.com/1196739 SUSE Bug 1196739 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy. CVE-2022-24801 openSUSE Tumbleweed:python-Twisted-doc-22.2.0-1.1 openSUSE Tumbleweed:python310-Twisted-22.2.0-1.1 openSUSE Tumbleweed:python38-Twisted-22.2.0-1.1 openSUSE Tumbleweed:python39-Twisted-22.2.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-24801.html CVE-2022-24801 https://bugzilla.suse.com/1198086 SUSE Bug 1198086