Package: twisted / 18.9.0-8~bpo10+1

Metadata

Package Version Patches format
twisted 18.9.0-8~bpo10+1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 wxpython3.0.patch | (download)

src/twisted/internet/wxreactor.py | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 wxpython3.0

Fix imports from the wx package.

0002 combinedlog.patch | (download)

src/twisted/web/http.py | 2 1 + 1 - 0 !
src/twisted/web/test/test_web.py | 16 8 + 8 - 0 !
2 files changed, 9 insertions(+), 9 deletions(-)

 combinedlog

Preserve backward-compatibility in the way the client IP of a request
is logged by the twisted.web HTTP server.

Bug: https://twistedmatrix.com/trac/ticket/7730
Bug-Debian https://bugs.debian.org/772629

0003 sphinx theme.patch | (download)

docs/conf.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 sphinx-theme

Set the sphinx theme.

0004 localIntersphinx.patch | (download)

docs/conf.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 localintersphinx

Use local copies of object.inv for building documentation.

0005 insecure pythonpath.patch | (download)

docs/core/howto/quotes.rst | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 insecure-pythonpath

Fix vulnerable example of PYTHONPATH.

0006 fix sphinx import path.patch | (download)

docs/conf.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix-sphinx-import-path

Adjust the import path in the Sphinx configuration file to
match the new source files location (src/).

0008 sort option keys.patch | (download)

src/twisted/python/usage.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 sort-option-keys

Fix flaky twisted.test.test_main.MainTests.test_twisted which fails
if options are not in the same order.

See https://twistedmatrix.com/trac/attachment/ticket/8923.

0009 no stderr in test_ckeygen.patch | (download)

src/twisted/conch/test/test_ckeygen.py | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 no-stderr-in-test_ckeygen

Fix an test writing to stderr. See:

https://twistedmatrix.com/trac/ticket/8924

0010 handle setlocale test failure.patch | (download)

src/twisted/conch/test/test_cftp.py | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 handle-setlocale-test-failure

Gracefully handle setlocale failures during the test suite (e.g
when running in a container).

0010 spurious failure in setup unit tests.patch | (download)

src/twisted/python/test/test_setup.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 spurious-failure-in-setup-unit-tests


0011 Ignore fuction name in SSL error code in tests to wo.patch | (download)

src/twisted/test/test_tcp.py | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 ignore fuction name in ssl error code in tests to work across
 OpenSSL versions


0012 Skip test for empty cypher string openssl does not t.patch | (download)

src/twisted/test/test_sslverify.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip test for empty cypher string, openssl does not throw error now

See: https://github.com/openssl/openssl/issues/7725

0013 Drop test_givesMeaningfulErrorMessageIfNoCipherMatch.patch | (download)

src/twisted/test/test_sslverify.py | 15 0 + 15 - 0 !
1 file changed, 15 deletions(-)

 drop test_givesmeaningfulerrormessageifnociphermatches

with OpenSSL 1.1.1 no ValueError is raised

0014 OpenSSL may not use ECDH by default thus drop this t.patch | (download)

src/twisted/test/test_sslverify.py | 31 0 + 31 - 0 !
1 file changed, 31 deletions(-)

 openssl may not use ecdh by default, thus drop this test


0015 Fix tests to expect new web request logging format.patch | (download)

src/twisted/web/test/test_web.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix tests to expect new web request logging format


0016 Fix SyntaxWarning.patch | (download)

src/twisted/conch/client/knownhosts.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix syntaxwarning

Fix SyntaxWarning on knownhosts.py

CVE 2019 12387.patch | (download)

src/twisted/web/_newclient.py | 85 81 + 4 - 0 !
src/twisted/web/client.py | 22 17 + 5 - 0 !
src/twisted/web/test/injectionhelpers.py | 168 168 + 0 - 0 !
src/twisted/web/test/test_agent.py | 147 146 + 1 - 0 !
src/twisted/web/test/test_webclient.py | 313 312 + 1 - 0 !
5 files changed, 724 insertions(+), 11 deletions(-)

 [patch] prevent crlf injections described in cve-2019-12387

CVE 2019 12855 01.patch | (download)

src/twisted/words/protocols/jabber/xmlstream.py | 2 1 + 1 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 61 43 + 18 - 0 !
2 files changed, 44 insertions(+), 19 deletions(-)

 [patch 01/17] use optionsforclienttls to verify server certificate by
 default


CVE 2019 12855 02.patch | (download)

docs/words/examples/xmpp_client.py | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 02/17] fix client example to print disconnection reason


CVE 2019 12855 03.patch | (download)

src/twisted/words/protocols/jabber/xmlstream.py | 6 5 + 1 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 24 24 + 0 - 0 !
2 files changed, 29 insertions(+), 1 deletion(-)

 [patch 03/17] allow for custom contextfactory to tls initializer


CVE 2019 12855 04.patch | (download)

src/twisted/words/protocols/jabber/xmlstream.py | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch 04/17] add docstrings for new contextfactory attribute


CVE 2019 12855 05.patch | (download)

src/twisted/words/protocols/jabber/client.py | 28 10 + 18 - 0 !
src/twisted/words/protocols/jabber/xmlstream.py | 9 5 + 4 - 0 !
src/twisted/words/test/test_jabberclient.py | 39 37 + 2 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 9 9 + 0 - 0 !
4 files changed, 61 insertions(+), 24 deletions(-)

 [patch 05/17] clean up connecting authenticators

This adds an option `required` argument to the inits of initializers
deriving from BaseFeatureInitiatingInitializer, to simplify setup.
Additionally it changes the requiredness of two initializers used by
XMPPAuthenticator:

* Setup of TLS is now required by default. This ensures that if StartTLS
is not advertized by the server, initialization fails instead of
silently proceeding to authentication without encryption.
* Binding a resource is required by default, because without it servers
will not allow any further meaningful interaction.

CVE 2019 12855 06.patch | (download)

src/twisted/words/protocols/jabber/client.py | 25 21 + 4 - 0 !
src/twisted/words/protocols/jabber/xmlstream.py | 9 9 + 0 - 0 !
src/twisted/words/test/test_jabberclient.py | 35 31 + 4 - 0 !
3 files changed, 61 insertions(+), 8 deletions(-)

 [patch 06/17] provide a way to use custom certificate options for
 XMPP clients

This adds an optional `contextFactory` argument to `XMPPClientFactory`
that is passed on to `XMPPAuthenticator`, which in turn passes it to
`TLSInitiatingInitializer`.

CVE 2019 12855 07.patch | (download)

src/twisted/words/test/test_jabberxmlstream.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 07/17] adjust tests to tlsinitiatinginitializer being required
 by default


CVE 2019 12855 09.patch | (download)

src/twisted/words/test/test_jabberxmlstream.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 09/17] fix skipping renamed test when ssl is not available


CVE 2019 12855 10.patch | (download)

src/twisted/words/test/test_jabberclient.py | 12 11 + 1 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 22 14 + 8 - 0 !
2 files changed, 25 insertions(+), 9 deletions(-)

 [patch 10/17] skip tls tests if openssl is not available


CVE 2019 12855 11.patch | (download)

src/twisted/words/test/test_jabberclient.py | 4 2 + 2 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 [patch 11/17] fix indents


CVE 2019 12855 12.patch | (download)

src/twisted/words/test/test_jabberclient.py | 13 8 + 5 - 0 !
1 file changed, 8 insertions(+), 5 deletions(-)

 [patch 12/17] better docstring for basicauthenticatortests


CVE 2019 12855 13.patch | (download)

src/twisted/words/protocols/jabber/client.py | 37 21 + 16 - 0 !
src/twisted/words/protocols/jabber/xmlstream.py | 28 15 + 13 - 0 !
src/twisted/words/test/test_jabberclient.py | 26 15 + 11 - 0 !
src/twisted/words/test/test_jabberxmlstream.py | 3 3 + 0 - 0 !
4 files changed, 54 insertions(+), 40 deletions(-)

 [patch 13/17] rename contextfactory to configurationfortls, make
 private vars


CVE 2019 12855 14.patch | (download)

src/twisted/words/protocols/jabber/xmlstream.py | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 [patch 14/17] move check for configurationtls being none to __init__


CVE 2019 12855 15.patch | (download)

src/twisted/words/protocols/jabber/client.py | 16 10 + 6 - 0 !
src/twisted/words/protocols/jabber/xmlstream.py | 3 2 + 1 - 0 !
2 files changed, 12 insertions(+), 7 deletions(-)

 [patch 15/17] document configurationfortls being none directly


CVE 2019 12855 17.patch | (download)

src/twisted/words/protocols/jabber/xmlstream.py | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 [patch 17/17] revert "move check for configurationtls being none to
 __init__"

This reverts commit 05556b6ca14a49e4c7f3b5e8ede83137b869926e.

CVE 2019 951x.patch | (download)

src/twisted/web/_http2.py | 130 101 + 29 - 0 !
src/twisted/web/error.py | 8 8 + 0 - 0 !
src/twisted/web/http.py | 8 7 + 1 - 0 !
src/twisted/web/test/test_http.py | 13 10 + 3 - 0 !
src/twisted/web/test/test_http2.py | 262 261 + 1 - 0 !
5 files changed, 387 insertions(+), 34 deletions(-)

 [patch] buffer outbound control frames and timeout invalid clients.

A HTTP/2 server can be effectively DoSed by having a remote peer stop
reading from a connection while continuing to send frames that trigger
automatic control frame emission. This patch addresses that by ensuring
that rather than automatically write all control frames into the
transport, we will buffer them in the HTTP/2 connection object, ensuring
that we have visibility into the size of that buffer, and thus can abort
the connection if it grows too large.

An HTTP/2 server can also be DoSed by a client that sends only invalid
frames (e.g., a RESET_STREAM frame when no streams have been created.)
This patches addresses that by only resetting H2Connection's timeout
when the underlying h2.connection.H2Connection has parsed at least one
valid frame.

CVE 2020 1010x pre1.patch | (download)

src/twisted/web/test/test_http.py | 78 36 + 42 - 0 !
1 file changed, 36 insertions(+), 42 deletions(-)

 [patch] refactor to reduce duplication


CVE 2020 1010x.patch | (download)

src/twisted/web/http.py | 64 49 + 15 - 0 !
src/twisted/web/test/test_http.py | 137 137 + 0 - 0 !
2 files changed, 186 insertions(+), 15 deletions(-)

 [patch] fix several request smuggling attacks.

1. Requests with multiple Content-Length headers were allowed (thanks
to Jake Miller from Bishop Fox and ZeddYu Lu) and now fail with a 400;

2. Requests with a Content-Length header and a Transfer-Encoding
header honored the first header (thanks to Jake Miller from Bishop
Fox) and now fail with a 400;

3. Requests whose Transfer-Encoding header had a value other than
"chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail
with a 400.