* [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0
@ 2022-02-18 10:55 Fabrice Fontaine
2022-02-20 20:35 ` Peter Korsgaard
2022-03-10 22:31 ` Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-18 10:55 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Asaf Kahlon
Fix CVE-2022-21712: twisted is an event-driven networking engine written
in Python. In affected versions twisted exposes cookies and
authorization headers when following cross-origin redirects. This issue
is present in the `twited.web.RedirectAgent` and `twisted.web.
BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
are no known workarounds.
Update hash of license file (author added and update in year:
https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f
https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd
https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8)
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/python-twisted/python-twisted.hash | 6 +++---
package/python-twisted/python-twisted.mk | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/package/python-twisted/python-twisted.hash b/package/python-twisted/python-twisted.hash
index c633112e9d..8f0935e4f0 100644
--- a/package/python-twisted/python-twisted.hash
+++ b/package/python-twisted/python-twisted.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/twisted/json
-md5 fc16d575730db7d0cddd09fc35af3eea Twisted-20.3.0.tar.bz2
-sha256 d72c55b5d56e176563b91d11952d13b01af8725c623e498db5507b6614fc1e10 Twisted-20.3.0.tar.bz2
+md5 c818cb1ab241dc249517442e5a0e0412 Twisted-22.1.0.tar.gz
+sha256 b7971ec9805b0f80e1dcb1a3721d7bfad636d5f909de687430ce373979d67b61 Twisted-22.1.0.tar.gz
# Locally computed sha256
-sha256 98426fd47315df70098e0d85efbb5d7dd8001c9c536386937354640d6d8d75b9 LICENSE
+sha256 686f6426a775450eb3afd00bc3a5c2621f305ddb9c8478ee9bf28a368ef2dece LICENSE
diff --git a/package/python-twisted/python-twisted.mk b/package/python-twisted/python-twisted.mk
index 49d97af097..8e867cfb58 100644
--- a/package/python-twisted/python-twisted.mk
+++ b/package/python-twisted/python-twisted.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_TWISTED_VERSION = 20.3.0
-PYTHON_TWISTED_SOURCE = Twisted-$(PYTHON_TWISTED_VERSION).tar.bz2
-PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/4a/b4/4973c7ccb5be2ec0abc779b7d5f9d5f24b17b0349e23240cfc9dc3bd83cc
+PYTHON_TWISTED_VERSION = 22.1.0
+PYTHON_TWISTED_SOURCE = Twisted-$(PYTHON_TWISTED_VERSION).tar.gz
+PYTHON_TWISTED_SITE = https://files.pythonhosted.org/packages/77/b8/8108806ebf2b33654989fd1511281dc94a49fa7e03326d84fe5498ecfae4
PYTHON_TWISTED_SETUP_TYPE = setuptools
PYTHON_TWISTED_LICENSE = MIT
PYTHON_TWISTED_LICENSE_FILES = LICENSE
--
2.34.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0
2022-02-18 10:55 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0 Fabrice Fontaine
@ 2022-02-20 20:35 ` Peter Korsgaard
2022-02-21 22:38 ` Romain Naour
2022-03-10 22:31 ` Peter Korsgaard
1 sibling, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2022-02-20 20:35 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-21712: twisted is an event-driven networking engine written
> in Python. In affected versions twisted exposes cookies and
> authorization headers when following cross-origin redirects. This issue
> is present in the `twited.web.RedirectAgent` and `twisted.web.
> BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
> are no known workarounds.
> Update hash of license file (author added and update in year:
> https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f
> https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd
> https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8)
> https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
> https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0
2022-02-20 20:35 ` Peter Korsgaard
@ 2022-02-21 22:38 ` Romain Naour
2022-02-21 23:09 ` Fabrice Fontaine
0 siblings, 1 reply; 5+ messages in thread
From: Romain Naour @ 2022-02-21 22:38 UTC (permalink / raw)
To: Peter Korsgaard, Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
Le 20/02/2022 à 21:35, Peter Korsgaard a écrit :
>>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
>
> > Fix CVE-2022-21712: twisted is an event-driven networking engine written
> > in Python. In affected versions twisted exposes cookies and
> > authorization headers when following cross-origin redirects. This issue
> > is present in the `twited.web.RedirectAgent` and `twisted.web.
> > BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
> > are no known workarounds.
>
> > Update hash of license file (author added and update in year:
> > https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f
> > https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd
> > https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8)
>
> > https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
> > https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
>
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Committed, thanks.
>
I'm not familiar with python-twisted but it seems that python-twisted and
python-treq must use the same version because its the same project:
https://github.com/twisted/twisted
https://github.com/twisted/treq
We have to update python-treq to version 22.2.0 [1] otherwise we have a runtime
issue:
# python sample_python_treq.py
Traceback (most recent call last):
File "/root/sample_python_treq.py", line 2, in <module>
import treq
File "/usr/lib/python3.10/site-packages/treq/__init__.py", line 5, in <module>
File "/usr/lib/python3.10/site-packages/treq/api.py", line 5, in <module>
File "/usr/lib/python3.10/site-packages/treq/client.py", line 11, in <module>
ImportError: cannot import name '_PY3' from 'twisted.python.compat' (unknown
location)
https://github.com/twisted/treq/releases/tag/release-22.2.0
Best regards,
Romain
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0
2022-02-21 22:38 ` Romain Naour
@ 2022-02-21 23:09 ` Fabrice Fontaine
0 siblings, 0 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-02-21 23:09 UTC (permalink / raw)
To: Romain Naour; +Cc: Asaf Kahlon, Buildroot Mailing List
Le lun. 21 févr. 2022 à 23:38, Romain Naour <romain.naour@gmail.com> a écrit :
>
> Le 20/02/2022 à 21:35, Peter Korsgaard a écrit :
> >>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> >
> > > Fix CVE-2022-21712: twisted is an event-driven networking engine written
> > > in Python. In affected versions twisted exposes cookies and
> > > authorization headers when following cross-origin redirects. This issue
> > > is present in the `twited.web.RedirectAgent` and `twisted.web.
> > > BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
> > > are no known workarounds.
> >
> > > Update hash of license file (author added and update in year:
> > > https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f
> > > https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd
> > > https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8)
> >
> > > https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
> > > https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
> >
> > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> >
> > Committed, thanks.
> >
>
> I'm not familiar with python-twisted but it seems that python-twisted and
> python-treq must use the same version because its the same project:
>
> https://github.com/twisted/twisted
> https://github.com/twisted/treq
>
> We have to update python-treq to version 22.2.0 [1] otherwise we have a runtime
> issue:
>
> # python sample_python_treq.py
> Traceback (most recent call last):
> File "/root/sample_python_treq.py", line 2, in <module>
> import treq
> File "/usr/lib/python3.10/site-packages/treq/__init__.py", line 5, in <module>
> File "/usr/lib/python3.10/site-packages/treq/api.py", line 5, in <module>
> File "/usr/lib/python3.10/site-packages/treq/client.py", line 11, in <module>
> ImportError: cannot import name '_PY3' from 'twisted.python.compat' (unknown
> location)
>
> https://github.com/twisted/treq/releases/tag/release-22.2.0
Thanks for spotting this issue, I sent a patch serie.
>
> Best regards,
> Romain
Best Regards,
Fabrice
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0
2022-02-18 10:55 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0 Fabrice Fontaine
2022-02-20 20:35 ` Peter Korsgaard
@ 2022-03-10 22:31 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-03-10 22:31 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Asaf Kahlon, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-21712: twisted is an event-driven networking engine written
> in Python. In affected versions twisted exposes cookies and
> authorization headers when following cross-origin redirects. This issue
> is present in the `twited.web.RedirectAgent` and `twisted.web.
> BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
> are no known workarounds.
> Update hash of license file (author added and update in year:
> https://github.com/twisted/twisted/commit/13aa59746a73769b05a51c2198b28f5602dd382f
> https://github.com/twisted/twisted/commit/adfdf23477abfcd09a867347993fc1d207cfb4dd
> https://github.com/twisted/twisted/commit/7e65fbeed3d74a4eb1c40d7a6df5651782becbc8)
> https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
> https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-10 22:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-18 10:55 [Buildroot] [PATCH 1/1] package/python-twisted: security bump to version 22.1.0 Fabrice Fontaine
2022-02-20 20:35 ` Peter Korsgaard
2022-02-21 22:38 ` Romain Naour
2022-02-21 23:09 ` Fabrice Fontaine
2022-03-10 22:31 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.