Ubuntu Security Notice 6575-1 - It was discovered that Twisted incorrectly escaped host headers in certain 404 responses. A remote attacker could possibly use this issue to perform HTML and script injection attacks. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay responses and manipulate the responses of second requests.
ed3e7c5783d3f0cb002940795e80215d7f03c457363997ab4d6217f8021d22d0
==========================================================================
Ubuntu Security Notice USN-6575-1
January 10, 2024
twisted vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Twisted.
Software Description:
- twisted: Event-based framework for internet applications
Details:
It was discovered that Twisted incorrectly escaped host headers in certain
404 responses. A remote attacker could possibly use this issue to perform
HTML and script injection attacks. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2022-39348)
It was discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay responses and manipulate the responses of second
requests. (CVE-2023-46137)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
python3-twisted 22.4.0-4ubuntu0.23.10.1
Ubuntu 23.04:
python3-twisted 22.4.0-4ubuntu0.23.04.1
Ubuntu 22.04 LTS:
python3-twisted 22.1.0-2ubuntu2.4
Ubuntu 20.04 LTS:
python3-twisted 18.9.0-11ubuntu0.20.04.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6575-1
CVE-2022-39348, CVE-2023-46137
Package Information:
https://launchpad.net/ubuntu/+source/twisted/22.4.0-4ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/twisted/22.4.0-4ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.4
https://launchpad.net/ubuntu/+source/twisted/18.9.0-11ubuntu0.20.04.3