An update for python-twisted-web is now available for Red Hat Enterprise Linux 6and Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Twisted is an event-based framework for internet applications.

Twisted Web is acomplete web server, aimed at hosting web applications using Twisted and Python,but fully able to serve static pages too.Security Fix(es):* It was discovered that python-twisted-web used the value of the Proxy headerfrom HTTP requests to initialize the HTTP_PROXY environment variable for CGIscripts, which in turn was incorrectly used by certain HTTP clientimplementations to configure the proxy for outgoing HTTP requests.

A remoteattacker could possibly use this flaw to redirect HTTP requests performed by aCGI script to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000111)Note: After this update, python-twisted-web will no longer pass the value of theProxy request header to scripts via the HTTP_PROXY environment variable.Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
python-twisted-web-8.2.0-5.el6_8.src.rpm
    MD5: f2bd562ef079d4f0286ba5fef3abe9cbSHA-256: ab86fe7fdc9d1942e741059d23bf993c6ec5bb4573d65839e19935f6d4c63744
 
IA-32:
python-twisted-web-8.2.0-5.el6_8.i686.rpm
    MD5: 6a4e1851a32fca7ec8a57b4ba85a2df8SHA-256: 9a630ce9e3a950c5754ea941f3af3d9469a603b322ea9134427c29ac6ab1069d
 
x86_64:
python-twisted-web-8.2.0-5.el6_8.x86_64.rpm
    MD5: 8577bf06b41ba208dc518563be9c2144SHA-256: 4a51812219ed76d257e8f53c98050c535eb0228066a59543e1f36ee7528035f2
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
python-twisted-web-12.1.0-5.el7_2.src.rpm
    MD5: aca4091a382dd464081add55527045e0SHA-256: 48a5560fe3b2426d4e21358e8a2e39860dae058fd0cc750bc5271e7c3fc3c9be
 
x86_64:
python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
    MD5: 42492f1003c1d4dfa0020af3b4893235SHA-256: bab84aaaa94e4649bc2c2bca5dbc0fcf7a2b2afa1a7ea9fdbf94c27831307e67
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
python-twisted-web-8.2.0-5.el6_8.src.rpm
    MD5: f2bd562ef079d4f0286ba5fef3abe9cbSHA-256: ab86fe7fdc9d1942e741059d23bf993c6ec5bb4573d65839e19935f6d4c63744
 
IA-32:
python-twisted-web-8.2.0-5.el6_8.i686.rpm
    MD5: 6a4e1851a32fca7ec8a57b4ba85a2df8SHA-256: 9a630ce9e3a950c5754ea941f3af3d9469a603b322ea9134427c29ac6ab1069d
 
PPC:
python-twisted-web-8.2.0-5.el6_8.ppc64.rpm
    MD5: ad43559679e238fe4cfbc16790ec03feSHA-256: 95c9aeaee3553b20cf76eb57eb83003734fa991aa6741c6890ca36b9835beaa0
 
s390x:
python-twisted-web-8.2.0-5.el6_8.s390x.rpm
    MD5: 874f78bb5521172037b0bc7219205929SHA-256: fe27119c38c0eaf7fc1251fcdc99b1f1fc23bb703fd1648facb4e46b8a94571b
 
x86_64:
python-twisted-web-8.2.0-5.el6_8.x86_64.rpm
    MD5: 8577bf06b41ba208dc518563be9c2144SHA-256: 4a51812219ed76d257e8f53c98050c535eb0228066a59543e1f36ee7528035f2
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
python-twisted-web-12.1.0-5.el7_2.src.rpm
    MD5: aca4091a382dd464081add55527045e0SHA-256: 48a5560fe3b2426d4e21358e8a2e39860dae058fd0cc750bc5271e7c3fc3c9be
 
PPC:
python-twisted-web-12.1.0-5.el7_2.ppc64.rpm
    MD5: 7ec7666f792f9fce2f4d4a944717a3cfSHA-256: 6b571bd4f2956d7a2ae24d4777e4bcf68b7554620fc0d6f6b2beb401f1e6104a
 
PPC64LE:
python-twisted-web-12.1.0-5.el7_2.ppc64le.rpm
    MD5: 2336c4d2fb4dc8f166c0cc5012e07eccSHA-256: 5c86901e0479d6d15f4dd228709d150b8561584719a08386f6e0bff7bc83dfab
 
s390x:
python-twisted-web-12.1.0-5.el7_2.s390x.rpm
    MD5: 3cc374a52748f43c23953bc0bb7fd593SHA-256: 1b95063ad20ce41beedce8be5bc893e2f1c8883496b63d5747f6c54107a769cf
 
x86_64:
python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
    MD5: 42492f1003c1d4dfa0020af3b4893235SHA-256: bab84aaaa94e4649bc2c2bca5dbc0fcf7a2b2afa1a7ea9fdbf94c27831307e67
 
Red Hat Enterprise Linux Server AUS (v. 7.2)

SRPMS:
python-twisted-web-12.1.0-5.el7_2.src.rpm
    MD5: aca4091a382dd464081add55527045e0SHA-256: 48a5560fe3b2426d4e21358e8a2e39860dae058fd0cc750bc5271e7c3fc3c9be
 
x86_64:
python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
    MD5: 42492f1003c1d4dfa0020af3b4893235SHA-256: bab84aaaa94e4649bc2c2bca5dbc0fcf7a2b2afa1a7ea9fdbf94c27831307e67
 
Red Hat Enterprise Linux Server EUS (v. 7.2)

SRPMS:
python-twisted-web-12.1.0-5.el7_2.src.rpm
    MD5: aca4091a382dd464081add55527045e0SHA-256: 48a5560fe3b2426d4e21358e8a2e39860dae058fd0cc750bc5271e7c3fc3c9be
 
PPC:
python-twisted-web-12.1.0-5.el7_2.ppc64.rpm
    MD5: 7ec7666f792f9fce2f4d4a944717a3cfSHA-256: 6b571bd4f2956d7a2ae24d4777e4bcf68b7554620fc0d6f6b2beb401f1e6104a
 
PPC64LE:
python-twisted-web-12.1.0-5.el7_2.ppc64le.rpm
    MD5: 2336c4d2fb4dc8f166c0cc5012e07eccSHA-256: 5c86901e0479d6d15f4dd228709d150b8561584719a08386f6e0bff7bc83dfab
 
s390x:
python-twisted-web-12.1.0-5.el7_2.s390x.rpm
    MD5: 3cc374a52748f43c23953bc0bb7fd593SHA-256: 1b95063ad20ce41beedce8be5bc893e2f1c8883496b63d5747f6c54107a769cf
 
x86_64:
python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
    MD5: 42492f1003c1d4dfa0020af3b4893235SHA-256: bab84aaaa94e4649bc2c2bca5dbc0fcf7a2b2afa1a7ea9fdbf94c27831307e67
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
python-twisted-web-8.2.0-5.el6_8.src.rpm
    MD5: f2bd562ef079d4f0286ba5fef3abe9cbSHA-256: ab86fe7fdc9d1942e741059d23bf993c6ec5bb4573d65839e19935f6d4c63744
 
IA-32:
python-twisted-web-8.2.0-5.el6_8.i686.rpm
    MD5: 6a4e1851a32fca7ec8a57b4ba85a2df8SHA-256: 9a630ce9e3a950c5754ea941f3af3d9469a603b322ea9134427c29ac6ab1069d
 
x86_64:
python-twisted-web-8.2.0-5.el6_8.x86_64.rpm
    MD5: 8577bf06b41ba208dc518563be9c2144SHA-256: 4a51812219ed76d257e8f53c98050c535eb0228066a59543e1f36ee7528035f2
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
python-twisted-web-12.1.0-5.el7_2.src.rpm
    MD5: aca4091a382dd464081add55527045e0SHA-256: 48a5560fe3b2426d4e21358e8a2e39860dae058fd0cc750bc5271e7c3fc3c9be
 
x86_64:
python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
    MD5: 42492f1003c1d4dfa0020af3b4893235SHA-256: bab84aaaa94e4649bc2c2bca5dbc0fcf7a2b2afa1a7ea9fdbf94c27831307e67
 
(The unlinked packages above are only available from the Red Hat Network)

1357345 – CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply