openSUSE-SU-2016:3157-1

Опубликовано: 14 дек. 2016

Источник: suse-cvrf

Описание

Security update for python-Twisted

This update for python-Twisted fixes the following issues:

No longer automatically export the http_proxy environment variable to avoid the proxy being trusted by unaware applications, if a Proxy request header is supplied (boo#989997, CVE-2016-1000111)

Список пакетов

openSUSE Leap 42.1

python-Twisted-15.4.0-3.1

python-Twisted-doc-15.4.0-3.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2016-12/msg00110.html
E-Mail link for openSUSE-SU-2016:3157-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Затронутые продукты

openSUSE Leap 42.1:python-Twisted-15.4.0-3.1

openSUSE Leap 42.1:python-Twisted-doc-15.4.0-3.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-1000111.html
CVE-2016-1000111
https://bugzilla.suse.com/989997
SUSE Bug 989997

openSUSE-SU-2016:3157-1

Описание

Список пакетов

openSUSE Leap 42.1

Ссылки

Уязвимость: CVE-2016-1000111

Описание

Затронутые продукты

Ссылки