python-twisted-web-12.1.0-7.el7

Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too.

Security Fix(es):

* python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108)

* python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109)

* python-twisted: Improper neutralization of CRLF characters in URIs and HTTP methods (CVE-2019-12387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-10108
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
CVE-2020-10109
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
CVE-2019-12387
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.