I've just uploaded the first prerelease of Twisted 16.3.1, a security & critical bug fix release of the 16.3 series. It contains:
- A bugfix for a HTTP/2 edge case,
- Fix for CVE-2008-7317 (generating potentially guessable HTTP session identifiers)
- Fix for CVE-2008-7318 (sending secure session cookies over insecured connections)
- Fix for CVE-2016-1000111 (http://httpoxy.org/)
You can find the tarball and the full news file for testing at https://twistedmatrix.com/Releases/pre/16.3.1pre1/ .
If no issues are found, I will issue a full release by Friday.