Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, the Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer's SSH version identifier. A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. References: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx https://github.com/twisted/twisted/releases/tag/twisted-22.2.0 Upstream commit: https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
Created python-twisted tracking bugs for this issue: Affects: epel-all [bug 2060973] Affects: fedora-all [bug 2060972]
Corrected upstream commit: https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0992 https://access.redhat.com/errata/RHSA-2022:0992
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0982 https://access.redhat.com/errata/RHSA-2022:0982
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21716