[Buildroot] [2020.02.x] package/python-twisted: Fix several request smuggling attacks
Peter Korsgaard
peter at korsgaard.com
Wed Jul 22 21:12:13 UTC 2020
>>>>> "Matt" == Matt Weber <matthew.weber at rockwellcollins.com> writes:
> CVE-2020-10108
> In Twisted Web through 19.10.0, there was an HTTP request splitting
> vulnerability. When presented with two content-length headers, it
> ignored the first header. When the second content-length value was
> set to zero, the request body was interpreted as a pipelined request.
> CVE-2020-10109
> In Twisted Web through 19.10.0, there was an HTTP request splitting
> vulnerability. When presented with a content-length and a chunked
> encoding header, the content-length took precedence and the remainder
> of the request body was interpreted as a pipelined request.
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list