PublicDateAtUSN: 2022-03-03 21:15:00 UTC
Candidate: CVE-2022-21716
PublicDate: 2022-03-03 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21716
 https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
 https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
 https://twistedmatrix.com/trac/ticket/10284
 https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
 https://ubuntu.com/security/notices/USN-5354-1
 https://ubuntu.com/security/notices/USN-5354-2
Description:
 Twisted is an event-based framework for internet applications, supporting
 Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is
 able to accept an infinite amount of data for the peer's SSH version
 identifier. This ends up with a buffer using all the available memory. The
 attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is
 available in version 22.2.0. There are currently no known workarounds.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: rayveldkamp
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_twisted:
upstream_twisted: released (22.2.0)
trusty/esm_twisted: released (13.2.0-1ubuntu1.2+esm2)
esm-infra/xenial_twisted: released (16.0.0-1ubuntu0.4+esm1)
trusty_twisted: ignored (out of standard support)
xenial_twisted: ignored (out of standard support)
bionic_twisted: released (17.9.0-2ubuntu0.3)
focal_twisted: released (18.9.0-11ubuntu0.20.04.2)
impish_twisted: released (20.3.0-7ubuntu1.1)
jammy_twisted: released (22.1.0-2ubuntu2.1)
devel_twisted: pending (22.4.0-1)