リリース日:
2022/06/07 Tuesday - 11:56
題名:
python-twisted-web-12.1.0-8.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- python-twisted-web には、HTTP リクエストの構造を解析する際に、RFC 7230 に
よって定められたものよりも厳密に解析しない問題があるため、HTTP リクエスト
スマグリングを引き起こすことが可能となる脆弱性があります。(CVE-2022-24801)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-24801
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
追加情報:
N/A
ダウンロード:
SRPMS
- python-twisted-web-12.1.0-8.el7.src.rpm
MD5: c7549754f78e3a5037f9a7b94b906160
SHA-256: 007aadd022ff9d38b72b632ebbb0d3d16b1a642d00bbd5b07299a15beb8ed358
Size: 396.98 kB
Asianux Server 7 for x86_64
- python-twisted-web-12.1.0-8.el7.x86_64.rpm
MD5: 22ee4ecb3e1719cfe3094b6ac3ac72c8
SHA-256: 41d512c669637c464b48253b5eb1437175d745c7343edc55b49a09f591a702c3
Size: 729.04 kB - python-twisted-web-12.1.0-8.el7.i686.rpm
MD5: 07c76e1260c7e2dad779f312d909728d
SHA-256: 0c9fabe3cfccae2eda38069c4a5b890d6d130f1989f8508b2367feb92de71601
Size: 729.02 kB
English
日本語