On behalf of the Twisted contributors I announce the release candidate of Twisted 24.7.0.
This is a release triggered by the following security bugfixes:
- twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). (#9839)
- The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (#12248)
- twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. (#12263)
The subjective notable changes are:
- Many performance improvements, pioneered by Itamar
- twisted.internet.defer.inlineCallbacks can now yield a coroutine. (#9972)
- The HTTP 1.0/1.1 server provided by twisted.web is now more picky about the first line of a request, improving compliance with RFC 9112. (#12233)
- The HTTP 1.0/1.1 server provided by twisted.web now contains the characters set of HTTP header names, improving compliance with RFC 9110. (#12235)
- twisted.web.util.ChildRedirector, which has never worked on Python 3, has been removed. (#9591)
The release and NEWS file is available for review at
Release candidate documentation is available at
Wheels for the release candidate are available on PyPI
python -m pip install Twisted==24.7.0rc1
Please test it and report any issues. If nothing comes up in one week, 24.7.0 will be released based on the latest release candidate.
Many thanks to everyone who worked on this release!
--
Adi Roiban