CVE-2020-10108

Advisory

Daphne 4.0.0 updates its dependency 'twisted' to versions '>=22.4' to include security fixes.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------

Major versioning targeting use with Channels 4.0 and beyond. Except where
noted should remain usable with Channels v3 projects, but updating Channels to the latest version is recommended.

* Added a ``runserver`` command to run an ASGI Django development server.

Added ``"daphne"`` to the ``INSTALLED_APPS`` setting, before
``"django.contrib.staticfiles"`` to enable:

INSTALLED_APPS = [
"daphne",
...
]

This replaces the Channels implementation of ``runserver``, which is removed
in Channels 4.0.

* Made the ``DaphneProcess`` tests helper class compatible with the ``spawn``
process start method, which is used on macOS and Windows.

Note that requires Channels v4 if using with ``ChannelsLiveServerTestCase``.

* Dropped support for Python 3.6.

* Updated dependencies to the latest versions.

Previously a range of Twisted versions have been supported. Recent Twisted
releases (22.2, 22.4) have issued security fixes, so those are now the
minimum supported version. Given the stability of Twisted, supporting a
range of versions does not represent a good use of maintainer time. Going
forward the latest Twisted version will be required.

* Set ``daphne`` as default ``Server`` header.

This can be configured with the ``--server-name`` CLI argument.

Added the new ``--no-server-name`` CLI argument to disable the ``Server``
header, which is equivalent to ``--server-name=` (an empty name).

* Added ``--log-fmt`` CLI argument.

* Added support for ``ASGI_THREADS`` environment variable, setting the maximum
number of workers used by a ``SyncToAsync`` thread-pool executor.

Set e.g. ``ASGI_THREADS=4 daphne ...`` when running to limit the number of
workers.

* Removed deprecated ``--ws_protocols`` CLI option.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108