FS#74362 - [python-twisted] multiple CVEs since the packaged version
Attached to Project:
Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Tuesday, 05 April 2022, 17:24 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 September 2022, 23:05 GMT
Opened by Chih-Hsuan Yen (yan12125) - Tuesday, 05 April 2022, 17:24 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 September 2022, 23:05 GMT
|
Details
Description:
extra/python-twisted is 21.7.0, while newer versions fix several CVEs: * CVE-2022-21712: fixed with 22.1 (https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx) * CVE-2022-21716: fixed with 22.2.0 (https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx) * CVE-2022-24801: fixed with 22.4.0rc1 (https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq) A PKGBUILD diff for 22.4.0rc1 is attached below. 22.4.0 is going to be released (https://github.com/twisted/twisted/pull/1714) and PKGBUILD should be quite similar. Note that I improved check() besides updating pkgver. If you want to package 22.2.0 and backport the fix for CVE-2022-24801 instead, a fix for the test suite (https://github.com/twisted/twisted/commit/f0cd452ee58e9cff73018bbf10e389826b769700) should be backported as well. Additional info: Other CVEs are fixed in the packaged version: https://github.com/twisted/twisted/security/advisories Steps to reproduce: 
PKGBUILD.diff
(7.3 KiB)
|
This task depends upon
Closed by Toolybird (Toolybird)
Sunday, 11 September 2022, 23:05 GMT
Reason for closing: Fixed
Additional comments about closing: python-twisted 22.4.0-1
Sunday, 11 September 2022, 23:05 GMT
Reason for closing: Fixed
Additional comments about closing: python-twisted 22.4.0-1
Comment by
Chih-Hsuan Yen (yan12125) -
Saturday, 16 April 2022, 12:06 GMT
Here's an updated diff for twisted 22.4.0. In the updated patch,
the approach for skipping one of failed tests is improved.
PKGBUILD.diff
(7.2 KiB)