ALAS-2020-1372

Amazon Linux 1 (EOL) Security Advisory: ALAS-2020-1372
Advisory Released Date: 2020-06-03
Advisory Updated Date: 2020-06-03

Severity: Important

References: CVE-2020-10108
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.(CVE-2020-10108)

Affected Packages:

python-twisted-web

Issue Correction:
Run yum update python-twisted-web to update your system.

New Packages:

i686:
    python27-twisted-web-8.2.0-6.6.amzn1.i686
    python26-twisted-web-8.2.0-6.6.amzn1.i686

src:
    python-twisted-web-8.2.0-6.6.amzn1.src

x86_64:
    python26-twisted-web-8.2.0-6.6.amzn1.x86_64
    python27-twisted-web-8.2.0-6.6.amzn1.x86_64

Additional References

Red Hat: CVE-2020-10108

Mitre: CVE-2020-10108