On behalf of Twisted Matrix Laboratories, I am
honoured to announce the release of Twisted 19.2.1!
This is a security release, and contains the
following changes:
- All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability.
It is recommended
you update to this release as soon as is practical.
Additional
mitigation may be required if Twisted is not your only HTTP
client library:
- This bug is present in all current versions of urllib2 in CPython. More information can be found on the Python bug tracker: https://bugs.python.org/issue30458
- This bug was
present in urllib3 up until version 1.24.3. More information
can be found on the urllib3 bug tracker:
https://github.com/urllib3/urllib3/issues/1553
Twisted Regards,
Amber Brown (HawkOwl)