Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

twisted: CVE-2014-7143: trustRoot not respected in HTTP client

Related Vulnerabilities: CVE-2014-7143  

Source

Debian Bug report logs - #761983
twisted: CVE-2014-7143: trustRoot not respected in HTTP client

version graph

Package: twisted; Maintainer for twisted is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 17 Sep 2014 14:27:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version 14.0.0-2

Fixed in version twisted/14.0.2-1

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#761983; Package twisted. (Wed, 17 Sep 2014 14:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (Wed, 17 Sep 2014 14:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: twisted: trustRoot not respected in HTTP client
Date: Wed, 17 Sep 2014 17:25:35 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: twisted
Version: 14.0.0-2
Tags: security, fixed-upstream
Severity: important

Hi,

See [1] for a trustRoot not respected in HTTP client issue in Twisted reported
by Alex Gaynor and David Reid (Rackspace).

1: http://www.openwall.com/lists/oss-security/2014/09/17/4

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQZmd8ACgkQXf6hBi6kbk9oyACfS73uPxk0BsJBE59L310KETrR
ppwAn00p+EZNY7g6A+qlKICGjAYYiarI
=xPCt
-----END PGP SIGNATURE-----

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 17 Sep 2014 14:33:09 GMT) (full text, mbox, link).

Changed Bug title to 'twisted: CVE-2014-7143: trustRoot not respected in HTTP client' from 'twisted: trustRoot not respected in HTTP client' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 22 Sep 2014 06:33:16 GMT) (full text, mbox, link).

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Tue, 30 Sep 2014 13:39:14 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 30 Sep 2014 13:39:14 GMT) (full text, mbox, link).

Message #14 received at 761983-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>
To: 761983-close@bugs.debian.org
Subject: Bug#761983: fixed in twisted 14.0.2-1
Date: Tue, 30 Sep 2014 13:35:07 +0000
Source: twisted
Source-Version: 14.0.2-1

We believe that the bug you reported is fixed in the latest version of
twisted, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated twisted package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 30 Sep 2014 15:04:00 +0200
Source: twisted
Binary: python-twisted-bin python-twisted-bin-dbg python-twisted-core python-twisted-conch python-twisted-lore python-twisted-mail python-twisted-names python-twisted-news python-twisted-runner python-twisted-runner-dbg python-twisted-web python-twisted-words twisted-doc python-twisted
Architecture: source all i386
Version: 14.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
 python-twisted - Event-based framework for internet applications (dependency packa
 python-twisted-bin - Event-based framework for internet applications
 python-twisted-bin-dbg - Event-based framework for internet applications (debug extension)
 python-twisted-conch - Twisted SSH Implementation
 python-twisted-core - Event-based framework for internet applications
 python-twisted-lore - Documentation generator with HTML and LaTeX support
 python-twisted-mail - SMTP, IMAP and POP protocol implementation
 python-twisted-names - DNS protocol implementation with client and server
 python-twisted-news - NNTP protocol implementation with client and server
 python-twisted-runner - Process management, including an inetd server
 python-twisted-runner-dbg - Process management, including an inetd server (debug extension)
 python-twisted-web - HTTP protocol implementation together with clients and servers
 python-twisted-words - Chat and Instant Messaging
 twisted-doc - Official documentation of Twisted
Closes: 759073 761983
Changes:
 twisted (14.0.2-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fix issue #7647: BrowserLikePolicyForHTTPS would always ignore the
       specified trustRoot and use the system trust root instead, which has
       been rectified. Closes: #761983.
   * Build using wxpython3.0 (Olly Betts). Closes: #759073.
Checksums-Sha1:
 58791714acb0c55b29520e0db28f7ab5b5e8d2df 2098 twisted_14.0.2-1.dsc
 b908dc0d117a782d2becc83fbb906ba4311f3351 4344733 twisted_14.0.2.orig.tar.bz2
 6c895bf4a1896f1af4b51169c0f658ebcc781621 13844 twisted_14.0.2-1.debian.tar.xz
 97a1b2723e0ddc758349c7baf1712e3b70836c48 1027366 python-twisted-core_14.0.2-1_all.deb
 118d86909c8e17e9c515360d603334672dd95ad2 74612 python-twisted-lore_14.0.2-1_all.deb
 664de1bddd6939177170f7ef1e86ced13c655c4e 183234 python-twisted-mail_14.0.2-1_all.deb
 328982d5be9b612bd589493d30c2c599fabde23b 114076 python-twisted-names_14.0.2-1_all.deb
 2e1703f35f4fe559f9c0ae2cfa8b64a790ab9d02 29448 python-twisted-news_14.0.2-1_all.deb
 c5f95245eeef5c4a5b7115f01ce05259e445eb82 301354 python-twisted-web_14.0.2-1_all.deb
 8fe32a5599df37fcbbc7af62a0f6b542a39a5cd5 184888 python-twisted-words_14.0.2-1_all.deb
 e2ea308d82063b59a62f07a65867befd9a035a20 230978 twisted-doc_14.0.2-1_all.deb
 28995fc1e5af88d3fee213d6b46a5692e68715b6 10848 python-twisted_14.0.2-1_all.deb
 92393bbb049eebea3898a2e4e98cc53db454efec 242110 python-twisted-conch_14.0.2-1_all.deb
 0fe7ff6d67de54185112c4d5acef900d8a76f892 17612 python-twisted-bin_14.0.2-1_i386.deb
 5538a893ff5059eaa419c7ea4cd63e7aeefdaff8 31390 python-twisted-bin-dbg_14.0.2-1_i386.deb
 531f9ffebfdd1ecf87f402a585ceb34fb7d038c8 24416 python-twisted-runner_14.0.2-1_i386.deb
 5b08e5ac69b7285421ddf76ca99233374a47cff9 9354 python-twisted-runner-dbg_14.0.2-1_i386.deb
Checksums-Sha256:
 c5a7776f869a7115ba29904791e5b8cf34ccb68ae6e8e64f0dc42ca4674f0daf 2098 twisted_14.0.2-1.dsc
 038096be8723b678e2ead323b14d0d3e2db161e0c7ce3c98fdd18ca5869acb71 4344733 twisted_14.0.2.orig.tar.bz2
 fd67b0ef32aada9eedbe90a3a371609a756324cf03ac5cf1b4143d98bc2988a6 13844 twisted_14.0.2-1.debian.tar.xz
 145a459a53cee2a7b7ab1cb69b9dfa26061fba2dce6fcf8f1c7b97a1eb367aa8 1027366 python-twisted-core_14.0.2-1_all.deb
 7109dc13a034a974db32b09e8b41561c7c9a0070c85e9af16213f31a2539c088 74612 python-twisted-lore_14.0.2-1_all.deb
 33547fefac1d43761c2fa3105bc8ea71c9b8364c3d4d3fc245610fd3b308a7ef 183234 python-twisted-mail_14.0.2-1_all.deb
 2d409007af615d6ace8e6706f7ded8a7e28e71eb09564b4569d4d5f94632a314 114076 python-twisted-names_14.0.2-1_all.deb
 53d9753847a1d98b45ddc274aa4e868f8e86e59f69044862e86e622a9b48b976 29448 python-twisted-news_14.0.2-1_all.deb
 b5128a1d8f7b5ceea7c6c16fa4252720f43c1d9e601bbacb5f5c914730bf44a7 301354 python-twisted-web_14.0.2-1_all.deb
 9c85eb97b2e3fd17d25686a8777d1af1c9fe7ac61057e39b913c37fb71e3ba73 184888 python-twisted-words_14.0.2-1_all.deb
 7e9f98d3bef234153492c9b1f67b6495e34c9fc9fbda1b22b1421473ef458be4 230978 twisted-doc_14.0.2-1_all.deb
 e582be10ada236460172bc474771e23f12da02dfeb5966030cffe854dc2f1ae1 10848 python-twisted_14.0.2-1_all.deb
 2d855d042a39640348c640c350474c7ad74077a85580177800157010000b16cd 242110 python-twisted-conch_14.0.2-1_all.deb
 7536172892cf031cbcd21ab8e3d9f80d7f6768780e3e26865a987044370f161d 17612 python-twisted-bin_14.0.2-1_i386.deb
 27e71ab8b685475d17b47b2f6f32041111bd18b4637bce5073c12bc53ee343d3 31390 python-twisted-bin-dbg_14.0.2-1_i386.deb
 c74cbf01f66a4d6c6ee33a9445d360120fd9c4e189b436fe25ce7821d5e020ba 24416 python-twisted-runner_14.0.2-1_i386.deb
 bb5aef44ee916a8d6b919e309990a59f994b5889a0b3c76fd5e3d12970cecab2 9354 python-twisted-runner-dbg_14.0.2-1_i386.deb
Files:
 6eaa8697874141502a810e65f6d68581 1027366 python optional python-twisted-core_14.0.2-1_all.deb
 69e65d15104ba7859281d653a327fce6 74612 python optional python-twisted-lore_14.0.2-1_all.deb
 a73685c0fd7b34cd77ab5db38bb4abff 183234 python optional python-twisted-mail_14.0.2-1_all.deb
 dc84ed37d1c9f830b4e0d9adeaf9d340 114076 python optional python-twisted-names_14.0.2-1_all.deb
 eb5d530b9aa7f28bbb8f99914dd1dc20 29448 python optional python-twisted-news_14.0.2-1_all.deb
 5564737c2ef0738ec6dbb91830842c24 301354 python optional python-twisted-web_14.0.2-1_all.deb
 fbe80776d64ebef4d5920d0e00cace74 184888 python optional python-twisted-words_14.0.2-1_all.deb
 194542c303869e2cd1e07602cbb235ec 230978 doc extra twisted-doc_14.0.2-1_all.deb
 f3e8bc3274595eb6cdc522f303106b71 10848 python extra python-twisted_14.0.2-1_all.deb
 fab932e6b78fbcaa11b462aa47d0e1a7 242110 python optional python-twisted-conch_14.0.2-1_all.deb
 1bb005799176ab8e8169166239b51944 17612 python optional python-twisted-bin_14.0.2-1_i386.deb
 e2eb56525c1f6a73fdf91cb16abc2d8e 31390 debug extra python-twisted-bin-dbg_14.0.2-1_i386.deb
 d004ea025039b693d07a91842d8522a2 24416 python optional python-twisted-runner_14.0.2-1_i386.deb
 c82a626a699044f35478b15ef3520641 9354 debug extra python-twisted-runner-dbg_14.0.2-1_i386.deb
 087b318247fcd4bf7fe75257b2ffeebd 2098 python optional twisted_14.0.2-1.dsc
 8379eb15601d6b7543a189594d3fed8f 4344733 python optional twisted_14.0.2.orig.tar.bz2
 412fb9f8b35557e07efb6369542c05d1 13844 python optional twisted_14.0.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQqrzoACgkQStlRaw+TLJx79ACeJ5ourLPgWul1Aykt0IIlDfpp
JFQAnR29ddcMdrJF6ai22br6w8ti/+4y
=6JVT
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Nov 2014 07:41:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:56:30 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started