ELA-604-1 twisted security update

HTTP request smuggling

2022-05-01
Packagetwisted
Version14.0.2-3+deb8u5
Related CVEs CVE-2022-24801


Twisted is an event-based Python framework for internet applications. The Twisted Web HTTP 1.1 server parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.



For Debian 8 jessie, these problems have been fixed in version 14.0.2-3+deb8u5.

We recommend that you upgrade your twisted packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.