Opened 7 weeks ago

#33836 new defect

Require Twisted 20.3.0 in gettor's requirements.txt

Reported by: teor Owned by:
Priority: Medium Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords:
Cc: cohosh, traumschule, hiro, gaba, phw Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Twisted has a HTTP request splitting vulnerability, GetTor is probably affected.

Please update your requirements.txt to depend on Twisted 20.3.0 or later.
(And any downstream packages.)

The GitHub alert is:
https://github.com/torproject/gettor/network/alert/requirements.txt/Twisted/open

The relevant CVEs are:
CVE-2020-10108
https://github.com/advisories/GHSA-h96w-mmrf-2h6v
CVE-2020-10109
https://github.com/advisories/GHSA-p5xh-vx83-mxcj

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.