An update for python-twisted-web is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Twisted is an event-based framework for internet applications. Twisted Web is a
complete web server, aimed at hosting web applications using Twisted and Python,
but fully able to serve static pages too.
* It was discovered that python-twisted-web used the value of the Proxy header
from HTTP requests to initialize the HTTP_PROXY environment variable for CGI
scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A remote
attacker could possibly use this flaw to redirect HTTP requests performed by a
CGI script to an attacker-controlled proxy via a malicious HTTP request.
Note: After this update, python-twisted-web will no longer pass the value of the
Proxy request header to scripts via the HTTP_PROXY environment variable.
Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
1357345 – CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
The kmod-lpfc packages contain the Emulex LightPulse Fibre Channel SCSI driver kernel module, which adds official support for the lpfc devices. The PCI ID supported by this package is 10DF:E300.
The kernel modules delivered by this erratum have been made available as part of the Red Hat Driver Update Program, which provides updated kernel
modules that add support for selected devices in advance of the next Red Hat Enterprise Linux minor update release. We strongly recommend that
these kernel modules be only used when it is necessary to enable the specific hardware mentioned in this erratum. Partners and customers
should continue to use the driver that is shipped in the latest Red Hat Enterprise Linux kernel for all other devices that require this driver.
All users who require kmod-lpfc are advised to install these new packages.