Safety vulnerability ID: 37554
The information on this page was manually curated by our Cybersecurity Intelligence Team.
In twisted 19.7.0, twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer properly verifies the server's certificate against platform CAs and the stream's domain, mitigating CVE-2019-12855. (#9561)
Latest version: 24.3.0
An asynchronous networking framework written in Python
===========================
Features
--------
- The callable argument to twisted.internet.task.deferLater() is no longer required. (9577)
- Twisted's minimum Cryptography requirement is now 2.5. (9592)
- twisted.internet.utils.getProcessOutputAndValue now accepts `stdinBytes` to write to the child process's standard input. (9607)
- Add new twisted.logger.capturedLogs context manager for capturing observed log events in tests. (9617)
- twisted.internet.base.PluggableResolverMixin, which implements the pluggable resolver interfaces for easier re-use in other reactors, has been factored out of ReactorBase. (9632)
- The PyPI page for Twisted has been enhanced to include more information and useful links. (9648)
Bugfixes
--------
- twisted.internet.endpoints is now importable on Windows when pywin32 is not installed. (6032)
- twisted.conch.ssh now generates correct keys when using hmac-sha2-512 with SHA1 based KEX algorithms. (8258)
- twisted.internet.iocpreactor.abstract.FileHandle no longer duplicates/looses outgoing data when .write() is called in rapid succession with large payloads (9446)
- twisted.application.backoffPolicy will not fail on connection attempts > 1750 with default settings. (9476)
- Trial on Python 3 will now properly re-raise ImportErrors that occur during the import of a module, rather than saying the module doesn't exist. (9628)
- twisted.internet.process does not fail on import when the process has more than 1024 file descriptors opened. (9636)
- Add the stackLevel keyword argument to twisted.logger.STDLibLogObserver._findCaller to fix an incompatibility with Python 3.8. (9668)
Improved Documentation
----------------------
- Fix the incorrect docstring for twisted.python.components.Componentized.addComponent which stated that the function returned a list of interfaces, even though the function doesn't actually do so. (9637)
Deprecations and Removals
-------------------------
- twisted.test.proto_helpers has moved to twisted.internet.testing. twisted.test.proto_helpers has been deprecated. (6435)
- twisted.protocols.mice, deprecated since Twisted 16.0, has been removed. (9602)
- twisted.conch.insults.client and twisted.conch.insults.colors, deprecated since Twisted 10.1, have been removed. (9603)
- The __version__ attribute of Twisted submodules that were previously packaged separately, deprecated since Twisted 16.0, has been removed. (9604)
- Python 3.4 is no longer supported. (9613)
- twisted.python.compat.OrderedDict, an alias for collections.OrderedDict and deprecated since Twisted 15.5, has been removed. (9639)
Misc
----
- 9217, 9445, 9454, 9605, 9614, 9615, 9619, 9625, 9633, 9640, 9674
Conch
-----
Bugfixes
~~~~~~~~
- t.c.ssh.connection.SSHConnection now fails channels that are in the process of opening when the connection is lost. (2782)
Misc
~~~~
- 9610
Web
---
Features
~~~~~~~~
- twisted.web.tap, the module that is run by `twist web`, now accepts --display-tracebacks to render tracebacks on uncaught exceptions. (9656)
Bugfixes
~~~~~~~~
- twisted.web.http.Request.write after the channel is disconnected will no longer raise AttributeError. (9410)
- twisted.web.client.Agent.request() and twisted.web.client.ProxyAgent.request() now produce TypeError when the method argument is not bytes, rather than failing to generate the request. (9643)
- twisted.web.http.HTTPChannel no longer raises TypeError internally when receiving a line-folded HTTP header on Python 3. (9644)
- All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability. (9647)
- twisted.web.server.Site's instance variable displayTracebacks is now set to False by default. (9656)
Improved Documentation
~~~~~~~~~~~~~~~~~~~~~~
- twisted.web.iweb.IRequest's "prepath" and "postpath" attributes, which have existed for a long time, are now documented. (5533)
- The documented type of t.w.iweb.IRequest's "method" and "uri" attributes on Python 3 has been corrected to match the implementation. (9091)
- t.w.iweb.IRequest's "args" attribute is now correctly documented to be bytes. (9458)
- The API documentation of twisted.web.iweb.IRequest and twisted.web.http.Request has been updated and extended to match the implementation. (9593)
Deprecations and Removals
~~~~~~~~~~~~~~~~~~~~~~~~~
- Passing a path argument to twisted.web.resource.Resource.putChild which is not of type bytes is now deprecated. In the future, passing a non-bytes argument to putChild will return an error. (9135)
- Passing --notracebacks/-n to twisted.web.tap, the module that is run by `twist web`, is now deprecated due to traceback rendering being disabled by default. (9656)
Misc
~~~~
- 9597
Mail
----
No significant changes.
Words
-----
Features
~~~~~~~~
- twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer and twisted.words.protocols.jabber.client.XMPPClientFactory now take an optional configurationForTLS for customizing certificate options for StartTLS. (9561)
Bugfixes
~~~~~~~~
- twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer now properly verifies the server's certificate against platform CAs and the stream's domain, mitigating CVE-2019-12855. (9561)
Names
-----
Bugfixes
~~~~~~~~
- twisted.names.client.Resolver will no longer infinite loop if it cannot bind a UDP port to use for resolving. (9620)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application