On behalf of the Twisted contributors I announce the release candidate of Twisted 24.7.0. This is a release triggered by the following security bugfixes: - twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). (#9839) - The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) (#12248) - twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. (#12263) The subjective notable changes are: - Many performance improvements, pioneered by Itamar - twisted.internet.defer.inlineCallbacks can now yield a coroutine. (#9972) - The HTTP 1.0/1.1 server provided by twisted.web is now more picky about the first line of a request, improving compliance with RFC 9112. (#12233) - The HTTP 1.0/1.1 server provided by twisted.web now contains the characters set of HTTP header names, improving compliance with RFC 9110. (#12235) - twisted.web.util.ChildRedirector, which has never worked on Python 3, has been removed. (#9591) The release and NEWS file is available for review at https://github.com/twisted/twisted/blob/stable/NEWS.rst Release documentation is available at https://docs.twisted.org/en/stable/ Wheels for the release candidate are available on PyPI python -m pip install Twisted==24.7.0 Many thanks to everyone who worked on this release! I would like to use this opportunity and thank https://thinkst.com/ for the extraordinary continuous financial support since 2018. -- Adi Roiban
participants (1)
-
Adi Roiban