[tor-bugs] #33836 [Applications/GetTor]: Require Twisted 20.3.0 in gettor's requirements.txt
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 7 02:04:58 UTC 2020
#33836: Require Twisted 20.3.0 in gettor's requirements.txt
-------------------------------------+--------------------
Reporter: teor | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/GetTor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-------------------------------------+--------------------
Twisted has a HTTP request splitting vulnerability, GetTor is probably
affected.
Please update your requirements.txt to depend on Twisted 20.3.0 or later.
(And any downstream packages.)
The GitHub alert is:
https://github.com/torproject/gettor/network/alert/requirements.txt/Twisted/open
The relevant CVEs are:
CVE-2020-10108
https://github.com/advisories/GHSA-h96w-mmrf-2h6v
CVE-2020-10109
https://github.com/advisories/GHSA-p5xh-vx83-mxcj
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33836>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list