[Twisted-Python] [SECURITY] Twisted 19.2.1 Release Announcement
On behalf of Twisted Matrix Laboratories, I am honoured to announce the release of Twisted 19.2.1! This is a security release, and contains the following changes: - All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability. It is recommended you update to this release as soon as is practical. Additional mitigation may be required if Twisted is not your only HTTP client library: - This bug is present in all current versions of urllib2 in CPython. More information can be found on the Python bug tracker: https://bugs.python.org/issue30458 - This bug was present in urllib3 up until version 1.24.3. More information can be found on the urllib3 bug tracker: https://github.com/urllib3/urllib3/issues/1553 You can find the downloads at <https://pypi.python.org/pypi/Twisted> (or alternatively <http://twistedmatrix.com/trac/wiki/Downloads>). The NEWS file is also available at <https://github.com/twisted/twisted/blob/twisted-19.2.1/NEWS.rst>. Twisted Regards, Amber Brown (HawkOwl)
On Jun 6, 2019, at 7:46 AM, Amber Brown <hawkowl@atleastfornow.net> wrote:
On behalf of Twisted Matrix Laboratories, I am honoured to announce the release of Twisted 19.2.1!
Thank you very much to Mark and Amber for their rapid-response work in getting this fix deployed, to Alex Brasetvik for discovering and reporting the issue via security@twistedmatrix.com, and Alex Gaynor for serving as our security contact and coordinator. Go Team! A reminder to anyone who has security issues to report, or who may want to work on security issues for Twisted in the future: on the front page here <https://twistedmatrix.com/trac/#Reportasecurityissue> we have a link to our reporting and remediation processes: <https://twistedmatrix.com/trac/wiki/Security>. Thanks again all! -glyph
On Jun 6, 2019, at 7:46 AM, Amber Brown <hawkowl@atleastfornow.net> wrote:
On behalf of Twisted Matrix Laboratories, I am honoured to announce the release of Twisted 19.2.1!
Thank you very much to Mark and Amber for their rapid-response work in getting this fix deployed, to Alex Brasetvik for discovering and reporting the issue via security@twistedmatrix.com, and Alex Gaynor for serving as our security contact and coordinator. Go Team! A reminder to anyone who has security issues to report, or who may want to work on security issues for Twisted in the future: on the front page here <https://twistedmatrix.com/trac/#Reportasecurityissue> we have a link to our reporting and remediation processes: <https://twistedmatrix.com/trac/wiki/Security>. Thanks again all! -glyph
participants (2)
-
Amber Brown -
Glyph