Security update for python-Twisted SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2732-1 Final 1 1 2024-08-05T10:56:13Z current 2024-08-05T10:56:13Z 2024-08-05T10:56:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Twisted This update for python-Twisted fixes the following issues: - CVE-2024-41671: Fixed an information disclosure due to HTTP requests processed out-of-order (bsc#1228549) - CVE-2024-41810: Fixed reflected XSS via HTML injection in redirect response (bsc#1228552) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2732,SUSE-SLE-Module-Web-Scripting-12-2024-2732 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242732-1/ Link for SUSE-SU-2024:2732-1 https://lists.suse.com/pipermail/sle-updates/2024-August/036279.html E-Mail link for SUSE-SU-2024:2732-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228549 SUSE Bug 1228549 https://bugzilla.suse.com/1228552 SUSE Bug 1228552 https://www.suse.com/security/cve/CVE-2024-41671/ SUSE CVE CVE-2024-41671 page https://www.suse.com/security/cve/CVE-2024-41810/ SUSE CVE CVE-2024-41810 page SUSE Linux Enterprise Module for Web and Scripting 12 python-Twisted-15.2.1-9.26.1 python-Twisted-doc-15.2.1-9.26.1 python-Twisted-15.2.1-9.26.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. CVE-2024-41671 SUSE Linux Enterprise Module for Web and Scripting 12:python-Twisted-15.2.1-9.26.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242732-1/ https://www.suse.com/security/cve/CVE-2024-41671.html CVE-2024-41671 https://bugzilla.suse.com/1228549 SUSE Bug 1228549 Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1. CVE-2024-41810 SUSE Linux Enterprise Module for Web and Scripting 12:python-Twisted-15.2.1-9.26.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242732-1/ https://www.suse.com/security/cve/CVE-2024-41810.html CVE-2024-41810 https://bugzilla.suse.com/1228552 SUSE Bug 1228552