FS#74362 - [python-twisted] multiple CVEs since the packaged version

Attached to Project: Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Tuesday, 05 April 2022, 17:24 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 September 2022, 23:05 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

extra/python-twisted is 21.7.0, while newer versions fix several CVEs:

* CVE-2022-21712: fixed with 22.1 (https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx)
* CVE-2022-21716: fixed with 22.2.0 (https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx)
* CVE-2022-24801: fixed with 22.4.0rc1 (https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq)

A PKGBUILD diff for 22.4.0rc1 is attached below. 22.4.0 is going to be released (https://github.com/twisted/twisted/pull/1714) and PKGBUILD should be quite similar.

Note that I improved check() besides updating pkgver. If you want to package 22.2.0 and backport the fix for CVE-2022-24801 instead, a fix for the test suite (https://github.com/twisted/twisted/commit/f0cd452ee58e9cff73018bbf10e389826b769700) should be backported as well.

Additional info:
Other CVEs are fixed in the packaged version: https://github.com/twisted/twisted/security/advisories

Steps to reproduce:
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 11 September 2022, 23:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  python-twisted 22.4.0-1
Comment by Chih-Hsuan Yen (yan12125) - Saturday, 16 April 2022, 12:06 GMT
Here's an updated diff for twisted 22.4.0. In the updated patch, the approach for skipping one of failed tests is improved.

Loading...