CVE-2020-10109

Advisory

Twisted 20.3.0 includes a fix for CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================Bugfixes--------- twisted.protocols.amp.BoxDispatcher.callRemote and callRemoteString will no longer return failing Deferreds for requiresAnswer=False commands when the transport they're operating on has been disconnected. (9756)Improved Documentation----------------------- Added a missing hyphen to a reference to the ``--debug`` option of ``pdb`` in the Trial how-to. (9690)- The documentation of the twisted.cred.checkers module has been extended and corrected. (9724)Deprecations and Removals-------------------------- twisted.news is deprecated. (9405)Misc----- 9634, 9701, 9707, 9710, 9715, 9726, 9727, 9728, 9729, 9735, 9737, 9757Conch-----Features~~~~~~~~- twisted.conch.ssh now supports the curve25519-sha256 key exchange algorithm (requires OpenSSL >= 1.1.0). (6814)- twisted.conch.ssh.keys can now write private keys in the new "openssh-key-v1" format, introduced in OpenSSH 6.5 and made the default in OpenSSH 7.8. ckeygen has a corresponding new --private-key-subtype=v1 option. (9683)Bugfixes~~~~~~~~- twisted.conch.keys.Key.privateBlob now returns the correct blob format for ECDSA (i.e. the same as that implemented by OpenSSH). (9682)Misc~~~~- 9760Web---Bugfixes~~~~~~~~- Fixed return type of twisted.web.http.Request.getUser and twisted.web.http.Request.getPassword to binary if no authorization header was found or an exception was thrown (9596)- twisted.web.http.HTTPChannel now rejects requests (with status code 400 and a drop) that have malformed headers of the form "Foo : value" or ": value". (9646)- twisted.web.http.Request now correctly parses multipart-encoded form data submitted as a chunked request on Python 3.7+. (9678)- twisted.web.client.BrowserLikePolicyForHTTPS is now listed in __all__, since it's a user-facing class that anyone could import and extend. (9769)- twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than "chunked" and "identity" (thanks to ZeddYu Lu) were allowed and now fail with a 400. (9770)Mail----Misc~~~~- 9733Words-----Bugfixes~~~~~~~~- Fixed parsing of streams with Python 3.8 when there are spaces in namespaces or namespaced attributes in twisted.words.xish.domish.ExpatElementStream (9730)Names-----Bugfixes~~~~~~~~- twisted.names.secondary.SecondaryAuthority now accepts str for its domain parameter, so twist dns --secondary now functions on Python 3. (9496)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10109
• https://know.bishopfox.com/advisories/twisted-version-19.10.0
• https://know.bishopfox.com/advisories
• https://lists.fedoraproject.org/archives/list/[email protected]/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
• https://usn.ubuntu.com/4308-1/
• https://usn.ubuntu.com/4308-2/
• https://security.gentoo.org/glsa/202007-24
• https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html