diff mbox series

[meta-python,scarthgap,1/1] python3-twisted: Fix CVE-2024-41810

Message ID 20250923061426.3997604-1-soumya.sambu@windriver.com
State New
Headers show
Series [meta-python,scarthgap,1/1] python3-twisted: Fix CVE-2024-41810 | expand

Commit Message

Sambu, Soumya Sept. 23, 2025, 6:14 a.m. UTC 
From: Soumya Sambu <soumya.sambu@windriver.com>

Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability.
If application code allows an attacker to control the redirect URL this vulnerability
may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
This vulnerability is fixed in 24.7.0rc1.

Split fix for CVE-2024-41810 from CVE-2024-41671-0001.patch to improve CVE
traceability.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41810

Upstream patch:
https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../{CVE-2024-41671-0002.patch => CVE-2024-41671.patch}       | 0
 .../{CVE-2024-41671-0001.patch => CVE-2024-41810.patch}       | 2 +-
 meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb | 4 ++--
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename meta-python/recipes-devtools/python/python3-twisted/{CVE-2024-41671-0002.patch => CVE-2024-41671.patch} (100%)
 rename meta-python/recipes-devtools/python/python3-twisted/{CVE-2024-41671-0001.patch => CVE-2024-41810.patch} (99%)
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671.patch
similarity index 100%
rename from meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0002.patch
rename to meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671.patch
diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
similarity index 99%
rename from meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
rename to meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
index 1f6bf6bbfc..023ebc3640 100644
--- a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch
@@ -5,7 +5,7 @@  Subject: [PATCH] Merge commit from fork
 
 Added HTML output encoding the "URL" parameter of the "redirectTo" function
 
-CVE: CVE-2024-41671
+CVE: CVE-2024-41810
 
 Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33]
 
diff --git a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
index 272aecb8b0..deb7fd6321 100644
--- a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
+++ b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb
@@ -7,8 +7,8 @@  LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5"
 
 SRC_URI += " \
-    file://CVE-2024-41671-0001.patch \
-    file://CVE-2024-41671-0002.patch \
+    file://CVE-2024-41810.patch \
+    file://CVE-2024-41671.patch \
 "
 
 SRC_URI[sha256sum] = "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae"