[Buildroot] [2020.02.x] package/python-twisted: Fix several request smuggling attacks

Peter Korsgaard peter at korsgaard.com
Wed Jul 22 21:12:13 UTC 2020


>>>>> "Matt" == Matt Weber <matthew.weber at rockwellcollins.com> writes:

 > CVE-2020-10108
 > In Twisted Web through 19.10.0, there was an HTTP request splitting
 > vulnerability. When presented with two content-length headers, it
 > ignored the first header. When the second content-length value was
 > set to zero, the request body was interpreted as a pipelined request.

 > CVE-2020-10109
 > In Twisted Web through 19.10.0, there was an HTTP request splitting
 > vulnerability. When presented with a content-length and a chunked
 > encoding header, the content-length took precedence and the remainder
 > of the request body was interpreted as a pipelined request.

 > Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>

Committed to 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list