Security update for python-Twisted SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:3157-1 Final 1 1 2016-12-14T13:55:16Z current 2016-12-14T13:55:16Z 2016-12-14T13:55:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Twisted This update for python-Twisted fixes the following issues: - No longer automatically export the http_proxy environment variable to avoid the proxy being trusted by unaware applications, if a Proxy request header is supplied (boo#989997, CVE-2016-1000111) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-12/msg00110.html E-Mail link for openSUSE-SU-2016:3157-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 python-Twisted-15.4.0-3.1 python-Twisted-doc-15.4.0-3.1 python-Twisted-15.4.0-3.1 as a component of openSUSE Leap 42.1 python-Twisted-doc-15.4.0-3.1 as a component of openSUSE Leap 42.1 Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. CVE-2016-1000111 openSUSE Leap 42.1:python-Twisted-15.4.0-3.1 openSUSE Leap 42.1:python-Twisted-doc-15.4.0-3.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-12/msg00110.html https://www.suse.com/security/cve/CVE-2016-1000111.html CVE-2016-1000111 https://bugzilla.suse.com/989997 SUSE Bug 989997