Bugzilla – Bug 1216588
VUL-0: CVE-2023-46137: python-Twisted: disordered HTTP pipeline response in twisted.web
Last modified: 2024-05-03 17:48:19 UTC
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46137 https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm https://bugzilla.redhat.com/show_bug.cgi?id=2246264
Fix in https://github.com/twisted/twisted/pull/11979
This is an autogenerated message for OBS integration: This bug (1216588) was mentioned in https://build.opensuse.org/request/show/1126660 Factory / python-Twisted
Patches for SUSE:ALP:Source:Standard:1.0 (ssr#312834), SUSE:SLE-15:Update (ssr#312829), SUSE:SLE-15-SP2:Update (ssr#312833), SUSE:SLE-15-SP4:Update (ssr#312828), SUSE:SLE-15-SP4:Update (ssr#312820), and openSUSE:Factory (sr#1126660) submitted. Suggesting WONTFIX for SUSE:SLE-12:Update … difference is rather large (15.2.1 v 22.10.0), not sure whether it is necessary to spend rather large amount of work on porting it.
SUSE-SU-2023:4490-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216588 CVE References: CVE-2023-46137 Sources used: openSUSE Leap 15.4 (src): python-Twisted-19.10.0-150200.3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4608-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216588 CVE References: CVE-2023-46137 Sources used: openSUSE Leap 15.4 (src): python-Twisted-test-22.10.0-150400.5.13.2, python-Twisted-22.10.0-150400.5.13.1 openSUSE Leap 15.5 (src): python-Twisted-22.10.0-150400.5.13.1 Python 3 Module 15-SP4 (src): python-Twisted-22.10.0-150400.5.13.1 Python 3 Module 15-SP5 (src): python-Twisted-22.10.0-150400.5.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4607-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216588 CVE References: CVE-2023-46137 Sources used: openSUSE Leap 15.4 (src): python3-Twisted-22.2.0-150400.15.1 openSUSE Leap 15.5 (src): python3-Twisted-22.2.0-150400.15.1 Server Applications Module 15-SP4 (src): python3-Twisted-22.2.0-150400.15.1 Server Applications Module 15-SP5 (src): python3-Twisted-22.2.0-150400.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4830-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216588 CVE References: CVE-2023-46137 Sources used: Public Cloud Module 15-SP1 (src): python-Twisted-17.9.0-150000.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE:SLE-12:Update resolved as WONTFIX, due to an intrusive backport.