From ${URL} : The twisted security project has identified, fixed, and released a release fixing a security issue, I would like a CVE assigned: Title: trustRoot not respected in HTTP client Reporter: Alex Gaynor and David Reid (Rackspace) Products: Twisted (14.0 only). Description: When specifying the trustRoot (CA store) for the HTTP client, Twisted did not respect the user's specification, and always used the default of the platform trust. This means that users attempting to use this feature to implement certificate pinning, or otherwise restrict the trust CAs would still have accepted any certificate signed by a CA. Twisted 14.0.1 has been issued to resolve this issue; (Distributors should note that this release has failing tests, and that a 14.0.2 release will be issued tomorrow, this does not effect the fix, only the tests). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Only v14.x branch was affected because this was the branch when the feature was developed, see https://twistedmatrix.com/trac/ticket/4888. Affected version hit Gentoo repository via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-python/twisted-core/twisted-core-14.0.0.ebuild?hideattic=1&view=log Fixed version appeared via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-python/twisted-core/twisted-core-14.0.1.ebuild?hideattic=1&view=log However v14.x branch was already cleaned up via https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-python/twisted-core?id=30aa69ba0c44805daa77f664a35643eed86c697d so nothing left to do for us. @ Maintainer(s): Security recommends to stabilize v15+ in near future because validating certificates is a must these days and this feature isn't present in the current stable branch. However that's not part of this bug. @ Security: Please vote!
GLSA Vote: No