1) CVE-2020-10108 Description: "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request." 2) CVE-2020-10109 Description: "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request."
Patch: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
@maintainer(s), please create an appropriate ebuild (patch looks like it's in 20.3.0).
@maintainer(s): ping
@maintainer(s), please advise if ready for stabilisation, or call yourself
@maintainer(s), please cleanup
Waiting for PPC stabilisation (it was forgot about).
GLSA vote: yes
This issue was resolved and addressed in GLSA 202007-24 at https://security.gentoo.org/glsa/202007-24 by GLSA coordinator Sam James (sam_c).
(In reply to GLSAMaker/CVETool Bot from comment #9) > This issue was resolved and addressed in > GLSA 202007-24 at https://security.gentoo.org/glsa/202007-24 > by GLSA coordinator Sam James (sam_c). Reopening for cleanup.
Cleanup done, all done!