This is a bug fix & security fix release, and is recommended for all users of Twisted. The fixes are:
- A bugfix for a HTTP/2 edge case, (included in 16.3.1)
- Fix for CVE-2008-7317 (generating potentially guessable HTTP session identifiers) (included in 16.3.1)
- Fix for CVE-2008-7318 (sending secure session cookies over insecured connections) (included in 16.3.1)
- Fix for CVE-2016-1000111 (http://httpoxy.org/) (included in 16.3.1)
- Twisted's HTTP server, when operating over TLS, would not cleanly close sockets, causing it to build up CLOSE_WAIT sockets until it would eventually run out of file descriptors.
You can find the downloads on PyPI (or alternatively our website). The NEWS file is also available at on GitHub.
Many thanks to everyone who had a part in this release - the supporters of the Twisted Software Foundation, the developers who contributed code as well as documentation, and all the people building great things with Twisted!
Amber Brown (HawkOwl)