ALAS-2023-432

Amazon Linux 2023 Security Advisory: ALAS-2023-432
Advisory Release Date: 2023-11-09 21:29 Pacific
Advisory Updated Date: 2023-11-14 21:13 Pacific

Severity: Medium

References: CVE-2023-46137
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue. (CVE-2023-46137)

Affected Packages:

python-twisted

Issue Correction:
Run dnf update python-twisted --releasever 2023.2.20231113 to update your system.

New Packages:

noarch:
    python3-twisted+tls-22.4.0-126.amzn2023.0.3.noarch
    python3-twisted-22.4.0-126.amzn2023.0.3.noarch

src:
    python-twisted-22.4.0-126.amzn2023.0.3.src

Additional References

Red Hat: CVE-2023-46137

Mitre: CVE-2023-46137

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2023-432

Additional References