python-twisted-web-12.1.0-7.el7
エラータID: AXSA:2020-025:01
リリース日:
2020/04/27 Monday - 05:17
題名:
python-twisted-web-12.1.0-7.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- python-twisted-web には、HTTP リクエスト分割の問題があり、
2つの content-length ヘッダが与えられると、1つ目の値が無視されます。2つ目の
content-length 値が 0 である場合、リクエストボディがパイプラインリクエストと
して解釈される脆弱性があります。(CVE-2020-10108)
- python-twisted-web には、HTTP リクエスト分割の問題があり、content-length と
チャンクエンコーディングヘッダの両方が与えられた場合、content-length が優先され、
リクエストボディの残りの部分がパイプラインリクエストとして解釈される脆弱性があり
ます。(CVE-2020-10109)
- python-twisted-web の twisted.web は URI あるいは HTTP メソッドを検証あるいは
サニタイズしておらず、このことによって攻撃者が CRLF 改行文字のような不正な文字を
挿入する脆弱性があります。(CVE-2019-12387)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
Update packages.
CVE:
CVE-2020-10108
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
CVE-2020-10109
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
CVE-2019-12387
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
追加情報:
N/A
ダウンロード:
SRPMS
- python-twisted-web-12.1.0-7.el7.src.rpm
MD5: a3bb373521ddd3be7427a430ce25ce31
SHA-256: 0be46b342a0d13103522a731d570fc1e2a8a4a8c17f943927f27a57cf018fb77
Size: 394.97 kB
Asianux Server 7 for x86_64
- python-twisted-web-12.1.0-7.el7.x86_64.rpm
MD5: 5bab90ec84186ebec4c3b391d333daf8
SHA-256: 6b8a5cd5c25da79a11468dfb359a78b568abc73563981ecbf8152d885bdb4228
Size: 727.42 kB - python-twisted-web-12.1.0-7.el7.i686.rpm
MD5: 94b2b08a2cba0093f46ba770d71a92fd
SHA-256: 3e3a98842852d0b85d60a0ada4dff492d07b7ad9c9eade46f15eba568c91c2d8
Size: 727.40 kB