Latest data: Sat Oct 28 08:04:12 UTC 2023

Homebrew · Oct 28, 2023 · 3912305 · 3912305
1 parent 2e03e6f
commit 3912305
Show file tree

Hide file tree

Showing 17 changed files with 62 additions and 772 deletions.
diff --git a/audits/abi3audit-requirements.audit.json b/audits/abi3audit-requirements.audit.json
diff --git a/audits/alot-requirements.audit.json b/audits/alot-requirements.audit.json
@@ -122,15 +122,15 @@
     },
     "vulnerabilities": [
       {
-        "modified": "2023-10-25T21:31:04Z",
+        "modified": "2023-10-27T21:07:15Z",
         "published": "2023-10-25T21:15:13Z",
         "schema_version": "1.6.0",
         "id": "GHSA-xc8x-vp79-p3wm",
         "aliases": [
           "CVE-2023-46137"
         ],
         "summary": "twisted.web has disordered HTTP pipeline response",
-        "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n    isLeaf = True\n    def render_GET(self, request):\n        return b'SECOND\\n'\n\nclass First(Resource):\n    isLeaf = True\n    def render_GET(self, request):\n        def send_response():\n            request.write(b'FIRST DELAYED\\n')\n            request.finish()\n        reactor.callLater(0.5, send_response)\n        return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.",
+        "details": "### Summary\nWhen sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order.\n\n### Details\nThere's an example faulty program:\n```python\nfrom twisted.internet import reactor, endpoints\nfrom twisted.web import server\nfrom twisted.web.proxy import ReverseProxyResource\nfrom twisted.web.resource import Resource\n\nclass Second(Resource):\n    isLeaf = True\n    def render_GET(self, request):\n        return b'SECOND\\n'\n\nclass First(Resource):\n    isLeaf = True\n    def render_GET(self, request):\n        def send_response():\n            request.write(b'FIRST DELAYED\\n')\n            request.finish()\n        reactor.callLater(0.5, send_response)\n        return server.NOT_DONE_YET\n\nroot = Resource()\n\nroot.putChild(b'second', Second())\nroot.putChild(b'first', First())\n\nendpoint = endpoints.TCP4ServerEndpoint(reactor, 8080)\nendpoint.listen(server.Site(root))\nreactor.run()\n```\n\nWhen two requests for `/first` and `/second` are sent in the same order, the second request will be responded to first.\n```shell\necho -en \"GET /first HTTP/1.1\\r\\nHost: a\\r\\n\\r\\nGET /second HTTP/1.1\\r\\nHost: a\\r\\n\\r\\n\" | nc localhost 8080\n```\n\n### Impact\nIf one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.",
         "affected": [
           {
             "package": {
@@ -264,6 +264,10 @@
             "type": "WEB",
             "url": "https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm"
           },
+          {
+            "type": "ADVISORY",
+            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46137"
+          },
           {
             "type": "PACKAGE",
             "url": "https://github.com/twisted/twisted"

diff --git a/audits/bbot-requirements.audit.json b/audits/bbot-requirements.audit.json
@@ -8,7 +8,7 @@
     },
     "vulnerabilities": [
       {
-        "modified": "2023-10-10T23:00:06Z",
+        "modified": "2023-10-28T05:36:04Z",
         "published": "2023-10-04T15:30:35Z",
         "schema_version": "1.6.0",
         "id": "GHSA-ww3m-ffrm-qvqv",
@@ -165,11 +165,6 @@
             ],
             "database_specific": {
               "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-ww3m-ffrm-qvqv/GHSA-ww3m-ffrm-qvqv.json"
-            },
-            "ecosystem_specific": {
-              "affected_functions": [
-                ""
-              ]
             }
           }
         ],