CVE-2024-41671

NameCVE-2024-41671
DescriptionTwisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3970-1, DSA-5797-1
Debian Bugs1077679

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
twisted (PTS)bullseye20.3.0-7+deb11u1vulnerable
bullseye (security)20.3.0-7+deb11u2fixed
bookworm, bookworm (security)22.4.0-4+deb12u1fixed
trixie24.11.0-1fixed
forky, sid25.5.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
twistedsourcebullseye20.3.0-7+deb11u2DLA-3970-1
twistedsourcebookworm22.4.0-4+deb12u1DSA-5797-1
twistedsource(unstable)24.7.0-11077679

Notes

https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7
https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc (twisted-24.7.0rc1)
Search for package or bug name: Reporting problems