The following flaw was reported in the Twisted HTTP client: "" When specifying the trustRoot (CA store) for the HTTP client, Twisted did not respect the user's specification, and always used the default of the platform trust. This means that users attempting to use this feature to implement certificate pinning, or otherwise restrict the trust CAs would still have accepted any certificate signed by a CA. "" It was reported that this issue only affects version 14.0. This version is not in Fedora or Red Hat Enterprise Linux, and source code inspection reveals the patch does not apply. Upstream fix: https://twistedmatrix.com/~diffresource.twistd/7647 Original report: http://www.openwall.com/lists/oss-security/2014/09/17/4
Statement: Not vulnerable. This issue did not affect the versions of python-twisted-web as shipped with Red Hat Enterprise Linux 6 and 7.