* [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0
@ 2022-03-13 11:47 Fabrice Fontaine
2022-03-23 20:26 ` Arnout Vandecappelle
2022-03-27 20:37 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-03-13 11:47 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Asaf Kahlon
Fix CVE-2022-21716: Twisted is an event-based framework for internet
applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH
client and server implement is able to accept an infinite amount of data
for the peer's SSH version identifier. This ends up with a buffer using
all the available memory. The attach is a simple as `nc -rv localhost 22
< /dev/zero`. A patch is available in version 22.2.0. There are
currently no known workarounds.
https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/python-twisted/python-twisted.hash | 4 ++--
package/python-twisted/python-twisted.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-twisted/python-twisted.hash b/package/python-twisted/python-twisted.hash
index 8f0935e4f0..63da0125b8 100644
--- a/package/python-twisted/python-twisted.hash
+++ b/package/python-twisted/python-twisted.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/twisted/json
-md5 c818cb1ab241dc249517442e5a0e0412 Twisted-22.1.0.tar.gz
-sha256 b7971ec9805b0f80e1dcb1a3721d7bfad636d5f909de687430ce373979d67b61 Twisted-22.1.0.tar.gz
+md5 fd252d0b895ca2ab81b5b1454073d890 Twisted-22.2.0.tar.gz
+sha256 57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba500b4f2 Twisted-22.2.0.tar.gz
# Locally computed sha256
sha256 686f6426a775450eb3afd00bc3a5c2621f305ddb9c8478ee9bf28a368ef2dece LICENSE
diff --git a/package/python-twisted/python-twisted.mk b/package/python-twisted/python-twisted.mk
index 8e867cfb58..e5d643ec05 100644
--- a/package/python-twisted/python-twisted.mk
+++ b/package/python-twisted/python-twisted.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_TWISTED_VERSION = 22.1.0
+PYTHON_TWISTED_VERSION = 22.2.0
PYTHON_TWISTED_SOURCE = Twisted-$(PYTHON_TWISTED_VERSION).tar.gz
-PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/77/b8/8108806ebf2b33654989fd1511281dc94a49fa7e03326d84fe5498ecfae4
+PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/40/8b/56e8870d412c550b3ff2d6714ee212c7e80a6634f4e720c3a26a983e7b46
PYTHON_TWISTED_SETUP_TYPE = setuptools
PYTHON_TWISTED_LICENSE = MIT
PYTHON_TWISTED_LICENSE_FILES = LICENSE
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0
2022-03-13 11:47 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0 Fabrice Fontaine
@ 2022-03-23 20:26 ` Arnout Vandecappelle
2022-03-27 20:37 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle @ 2022-03-23 20:26 UTC (permalink / raw)
To: Fabrice Fontaine, buildroot; +Cc: Asaf Kahlon
On 13/03/2022 12:47, Fabrice Fontaine wrote:
> Fix CVE-2022-21716: Twisted is an event-based framework for internet
> applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH
> client and server implement is able to accept an infinite amount of data
> for the peer's SSH version identifier. This ends up with a buffer using
> all the available memory. The attach is a simple as `nc -rv localhost 22
> < /dev/zero`. A patch is available in version 22.2.0. There are
> currently no known workarounds.
>
> https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/python-twisted/python-twisted.hash | 4 ++--
> package/python-twisted/python-twisted.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/python-twisted/python-twisted.hash b/package/python-twisted/python-twisted.hash
> index 8f0935e4f0..63da0125b8 100644
> --- a/package/python-twisted/python-twisted.hash
> +++ b/package/python-twisted/python-twisted.hash
> @@ -1,5 +1,5 @@
> # md5, sha256 from https://pypi.org/pypi/twisted/json
> -md5 c818cb1ab241dc249517442e5a0e0412 Twisted-22.1.0.tar.gz
> -sha256 b7971ec9805b0f80e1dcb1a3721d7bfad636d5f909de687430ce373979d67b61 Twisted-22.1.0.tar.gz
> +md5 fd252d0b895ca2ab81b5b1454073d890 Twisted-22.2.0.tar.gz
> +sha256 57f32b1f6838facb8c004c89467840367ad38e9e535f8252091345dba500b4f2 Twisted-22.2.0.tar.gz
> # Locally computed sha256
> sha256 686f6426a775450eb3afd00bc3a5c2621f305ddb9c8478ee9bf28a368ef2dece LICENSE
> diff --git a/package/python-twisted/python-twisted.mk b/package/python-twisted/python-twisted.mk
> index 8e867cfb58..e5d643ec05 100644
> --- a/package/python-twisted/python-twisted.mk
> +++ b/package/python-twisted/python-twisted.mk
> @@ -4,9 +4,9 @@
> #
> ################################################################################
>
> -PYTHON_TWISTED_VERSION = 22.1.0
> +PYTHON_TWISTED_VERSION = 22.2.0
> PYTHON_TWISTED_SOURCE = Twisted-$(PYTHON_TWISTED_VERSION).tar.gz
> -PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/77/b8/8108806ebf2b33654989fd1511281dc94a49fa7e03326d84fe5498ecfae4
> +PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/40/8b/56e8870d412c550b3ff2d6714ee212c7e80a6634f4e720c3a26a983e7b46
> PYTHON_TWISTED_SETUP_TYPE = setuptools
> PYTHON_TWISTED_LICENSE = MIT
> PYTHON_TWISTED_LICENSE_FILES = LICENSE
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0
2022-03-13 11:47 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0 Fabrice Fontaine
2022-03-23 20:26 ` Arnout Vandecappelle
@ 2022-03-27 20:37 ` Peter Korsgaard
2022-03-31 20:04 ` Romain Naour
1 sibling, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2022-03-27 20:37 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-21716: Twisted is an event-based framework for internet
> applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH
> client and server implement is able to accept an infinite amount of data
> for the peer's SSH version identifier. This ends up with a buffer using
> all the available memory. The attach is a simple as `nc -rv localhost 22
> < /dev/zero`. A patch is available in version 22.2.0. There are
> currently no known workarounds.
> https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0
2022-03-27 20:37 ` Peter Korsgaard
@ 2022-03-31 20:04 ` Romain Naour
2022-04-03 9:43 ` Peter Korsgaard
0 siblings, 1 reply; 5+ messages in thread
From: Romain Naour @ 2022-03-31 20:04 UTC (permalink / raw)
To: Peter Korsgaard, Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
Hello Peter,
Le 27/03/2022 à 22:37, Peter Korsgaard a écrit :
>>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>
> > Fix CVE-2022-21716: Twisted is an event-based framework for internet
> > applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH
> > client and server implement is able to accept an infinite amount of data
> > for the peer's SSH version identifier. This ends up with a buffer using
> > all the available memory. The attach is a simple as `nc -rv localhost 22
> > < /dev/zero`. A patch is available in version 22.2.0. There are
> > currently no known workarounds.
>
> > https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
>
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Committed to 2021.02.x and 2022.02.x, thanks.
>
As reported recently, python-twisted and python-treq must use the same version:
http://lists.busybox.net/pipermail/buildroot/2022-February/637505.html
But this backport requires to update python-treq package:
https://git.buildroot.net/buildroot/commit/?id=933447c27c41ebcdb5eb9fa2a374456699ae33f2
Best regards,
Romain
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0
2022-03-31 20:04 ` Romain Naour
@ 2022-04-03 9:43 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-04-03 9:43 UTC (permalink / raw)
To: Romain Naour; +Cc: Fabrice Fontaine, Asaf Kahlon, buildroot
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> Hello Peter,
> Le 27/03/2022 à 22:37, Peter Korsgaard a écrit :
>>>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>>
>> > Fix CVE-2022-21716: Twisted is an event-based framework for internet
>> > applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH
>> > client and server implement is able to accept an infinite amount of data
>> > for the peer's SSH version identifier. This ends up with a buffer using
>> > all the available memory. The attach is a simple as `nc -rv localhost 22
>> > < /dev/zero`. A patch is available in version 22.2.0. There are
>> > currently no known workarounds.
>>
>> > https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
>>
>> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>>
>> Committed to 2021.02.x and 2022.02.x, thanks.
>>
> As reported recently, python-twisted and python-treq must use the same version:
> http://lists.busybox.net/pipermail/buildroot/2022-February/637505.html
> But this backport requires to update python-treq package:
> https://git.buildroot.net/buildroot/commit/?id=933447c27c41ebcdb5eb9fa2a374456699ae33f2
Thanks, backported the python-treq bump to 2021.02.x / 2022.02.x.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-03 9:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-13 11:47 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.2.0 Fabrice Fontaine
2022-03-23 20:26 ` Arnout Vandecappelle
2022-03-27 20:37 ` Peter Korsgaard
2022-03-31 20:04 ` Romain Naour
2022-04-03 9:43 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.