On behalf of the Twisted contributors I announce the release candidate of
Twisted 24.7.0.
This is a release triggered by the following security bugfixes:
- twisted.web.util.redirectTo now HTML-escapes the provided URL in the
fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
(#9839)
- The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in information
disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (#12248)
- twisted.web.util.redirectTo now HTML-escapes the provided URL in the
fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being
tracked with CVE-2024-41810. (#12263)
The subjective notable changes are:
- Many performance improvements, pioneered by Itamar
- twisted.internet.defer.inlineCallbacks can now yield a coroutine. (#9972)
- The HTTP 1.0/1.1 server provided by twisted.web is now more picky about
the first line of a request, improving compliance with RFC 9112. (#12233)
- The HTTP 1.0/1.1 server provided by twisted.web now contains the
characters set of HTTP header names, improving compliance with RFC 9110.
(#12235)
- twisted.web.util.ChildRedirector, which has never worked on Python 3, has
been removed. (#9591)
The release and NEWS file is available for review at
https://github.com/twisted/twisted/pull/12272
Release candidate documentation is available at
https://twisted--12272.org.readthedocs.build/en/12272/
Wheels for the release candidate are available on PyPI
python -m pip install Twisted==24.7.0rc1
Please test it and report any issues. If nothing comes up in one week,
24.7.0 will be released based on the latest release candidate.
Many thanks to everyone who worked on this release!
--
Adi Roiban
Hi
This is just a FYI that we plan to release a new Twisted version that
includes a fix for a security related bug.
Most probably the release will be on the 29 of July 2024, 15:00 UTC
The security advisory is at
https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7
Only Twisted developers have access to it.
This security issue was reported by Ben Kallus and a fix was created by
Tom Most.
If you are a member of Twisted dev team and have time, please review the PR
and add your feedback.
We can continue the conversation over the GitHub Security advisory page.
Kind regards
--
Adi Roiban