Bugzilla – Bug 1166457
VUL-0: CVE-2020-10108: python-Twisted: requests with multiple Content-Length headers were allowed
Last modified: 2022-08-25 14:43:29 UTC
CVE-2020-10108 An HTTP request smuggling issue was found in python-Twisted. Requests with multiple Content-Length headers were allowed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10108.html
SUSE:SLE-12:Update python-Twisted Affected SUSE:SLE-15:Update python-Twisted Affected
Created attachment 832616 [details] twisted-web-helloworld.py Minimal Twisted web server
QA REPRODUCER: # python3 twisted-web-helloworld.py # printf "GET / HTTP/1.1\r\nContent-Length: 3\r\nContent-Length: 0\r\nUser-Agent: nc/0.0.1\r\nHost: 127.0.0.1\r\nAccept: */*\r\n\r\n---" | nc 127.0.0.1 8080 Result GOOD: > HTTP/1.1 400 Bad Request Result FAIL: > HTTP/1.1 200 OK > Server: TwistedWeb/19.10.0 > Date: Thu, 12 Mar 2020 09:49:03 GMT > Content-Type: text/plain > Content-Length: 13 > > Hello, World.
According to rh#1813439 the solution is in https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
please submit it together with bsc#1166458
(In reply to Wolfgang Frisch from comment #1) > SUSE:SLE-15:Update python-Twisted Affected Are you sure? According to the CVE report, this bug has been fixed in 19.10.0, which is exactly what we have in SLE-15-SP2 and in SLE-15-SP4 we have even 22.2.0.
(In reply to Matej Cepl from comment #7) > (In reply to Wolfgang Frisch from comment #1) > > SUSE:SLE-15:Update python-Twisted Affected > > Are you sure? According to the CVE report, this bug has been fixed in > 19.10.0, which is exactly what we have in SLE-15-SP2 and in SLE-15-SP4 we > have even 22.2.0. I guess is the same as for bsc#1166458.c8, from the github link you shared in comment 5 you can see which are the tags that contains that comment, and the oldest one is 20.3.0
CVE-2020-10108 is not mentioned in 15-SP2 changes file
SUSE-SU-2022:2811-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1166457,1166458 CVE References: CVE-2020-10108,CVE-2020-10109 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Twisted-15.2.1-9.20.1 SUSE OpenStack Cloud Crowbar 8 (src): python-Twisted-15.2.1-9.20.1 SUSE OpenStack Cloud 9 (src): python-Twisted-15.2.1-9.20.1 SUSE OpenStack Cloud 8 (src): python-Twisted-15.2.1-9.20.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): python-Twisted-15.2.1-9.20.1 HPE Helion Openstack 8 (src): python-Twisted-15.2.1-9.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I've double checked this issue again and it looks like this is fixed. The following two patches have mostly the same content. SUSE:SLE-12:Update/python-Twisted/CVE-2020-10108-http-req-headers.patch SUSE:SLE-15-SP2:Update/python-Twisted/CVE-2022-24801-http-1.1-leniency.patch Setting this issue to resolved.