Subject: CVS commit: pkgsrc/net/py-twisted
From: Adam Ciarcinski
Date: 2020-02-06 16:44:58
Message id:

Log Message:
py-twisted: updated to 19.10.0

Twisted 19.10.0:

- twisted.trial.successResultOf, twisted.trial.failureResultOf, and
  twisted.trial.assertNoResult accept coroutines as well as Deferreds.

- Fixed circular import in twisted.trial.reporter, introduced in Twisted 16.0.0.
- The POP3 server implemented by twisted.mail.pop3 now accepts passwords that \ 
contain spaces.
- Incoming HTTP/2 connections will now not time out if they persist for longer \ 
than one minute.
- The serial extra now requires pywin32 on Windows enabling use of \ 
twisted.internet.serialport without specifying the windows_platform extra.

- twisted.conch.ssh.keys now correctly writes the "iqmp" parameter in \ 
serialized RSA private keys as q^-1 mod p rather than p^-1 mod q.

- twisted.web.server.Request will now use \ 
twisted.web.server.Site.getContentFile, if it exists, to get a file into which \ 
to write request content.  If getContentFile is not provided by the site, it \ 
will fall back to the previous behavior of using io.BytesIO for small requests \ 
and tempfile.TemporaryFile for large ones.

- twisted.web.client.FileBodyProducer will now stop producing when the Deferred \ 
returned by FileBodyProducer.startProducing is cancelled.
- The HTTP/2 server implementation now enforces TCP flow control on control \ 
frame messages and times out clients that send invalid data without reading \ 
responses.  This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), \ 
and CVE-2019-9515 (Settings Flood).  Thanks to Jonathan Looney and Piotr Sikora.

Twisted 19.7.0:

- The callable argument to twisted.internet.task.deferLater() is no longer required.
- Twisted's minimum Cryptography requirement is now 2.5.
- twisted.internet.utils.getProcessOutputAndValue now accepts `stdinBytes` to \ 
write to the child process's standard input.
- Add new twisted.logger.capturedLogs context manager for capturing observed log \ 
events in tests.
- twisted.internet.base.PluggableResolverMixin, which implements the pluggable \ 
resolver interfaces for easier re-use in other reactors, has been factored out \ 
of ReactorBase.
- The PyPI page for Twisted has been enhanced to include more information and \ 
useful links.

- twisted.internet.endpoints is now importable on Windows when pywin32 is not \ 
- twisted.conch.ssh now generates correct keys when using hmac-sha2-512 with \ 
SHA1 based KEX algorithms.
- twisted.internet.iocpreactor.abstract.FileHandle no longer duplicates/looses \ 
outgoing data when .write() is called in rapid succession with large payloads
- twisted.application.backoffPolicy will not fail on connection attempts > \ 
1750 with default settings.
- Trial on Python 3 will now properly re-raise ImportErrors that occur during \ 
the import of a module, rather than saying the module doesn't exist.
- twisted.internet.process does not fail on import when the process has more \ 
than 1024 file descriptors opened.
- Add the stackLevel keyword argument to \ 
twisted.logger.STDLibLogObserver._findCaller to fix an incompatibility with \ 
Python 3.8.

Improved Documentation
- Fix the incorrect docstring for \ 
twisted.python.components.Componentized.addComponent which stated that the \ 
function returned a list of interfaces, even though the function doesn't \ 
actually do so.

Deprecations and Removals
- twisted.test.proto_helpers has moved to twisted.internet.testing. \ 
twisted.test.proto_helpers has been deprecated.
- twisted.protocols.mice, deprecated since Twisted 16.0, has been removed.
- twisted.conch.insults.client and twisted.conch.insults.colors, deprecated \ 
since Twisted 10.1, have been removed.
- The __version__ attribute of Twisted submodules that were previously packaged \ 
separately, deprecated since Twisted 16.0, has been removed.
- Python 3.4 is no longer supported.
- twisted.python.compat.OrderedDict, an alias for collections.OrderedDict and \ 
deprecated since Twisted 15.5, has been removed.

- t.c.ssh.connection.SSHConnection now fails channels that are in the process of \ 
opening when the connection is lost.

- twisted.web.tap, the module that is run by `twist web`, now accepts \ 
--display-tracebacks to render tracebacks on uncaught exceptions.

- twisted.web.http.Request.write after the channel is disconnected will no \ 
longer raise AttributeError.
- twisted.web.client.Agent.request() and twisted.web.client.ProxyAgent.request() \ 
now produce TypeError when the method argument is not bytes, rather than failing \ 
to generate the request.
- twisted.web.http.HTTPChannel no longer raises TypeError internally when \ 
receiving a line-folded HTTP header on Python 3.
- All HTTP clients in twisted.web.client now raise a ValueError when called with \ 
a method and/or URL that contain invalid characters.  This mitigates \ 
CVE-2019-12387.  Thanks to Alex Brasetvik for reporting this vulnerability.
- twisted.web.server.Site's instance variable displayTracebacks is now set to \ 
False by default.

Improved Documentation
- twisted.web.iweb.IRequest's "prepath" and "postpath" \ 
attributes, which have existed for a long time, are now documented.
- The documented type of t.w.iweb.IRequest's "method" and \ 
"uri" attributes on Python 3 has been corrected to match the \ 
- t.w.iweb.IRequest's "args" attribute is now correctly documented to \ 
be bytes.
- The API documentation of twisted.web.iweb.IRequest and \ 
twisted.web.http.Request has been updated and extended to match the \ 

Deprecations and Removals
- Passing a path argument to twisted.web.resource.Resource.putChild which is not \ 
of type bytes is now deprecated.  In the future, passing a non-bytes argument to \ 
putChild will return an error.
- Passing --notracebacks/-n to twisted.web.tap, the module that is run by `twist \ 
web`, is now deprecated due to traceback rendering being disabled by default.

- twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer and \ 
twisted.words.protocols.jabber.client.XMPPClientFactory now take an optional \ 
configurationForTLS for customizing certificate options for StartTLS.

- twisted.words.protocols.jabber.xmlstream.TLSInitiatingInitializer now properly \ 
verifies the server's certificate against platform CAs and the stream's domain, \ 
mitigating CVE-2019-12855.

- twisted.names.client.Resolver will no longer infinite loop if it cannot bind a \ 
UDP port to use for resolving.

Twisted 19.2.0:
This is the final release that will support Python 3.4.

- twisted.internet.ssl.CertificateOptions now uses 32 random bytes instead of an \ 
MD5 hash for the ssl session identifier context.
- DeferredLock and DeferredSemaphore can be used as asynchronous context
  managers on Python 3.5+.
- t.i.b.BaseConnector has custom __repr__
- twisted.internet.ssl.optionsForClientTLS now supports validating IP addresses \ 
from the certificate subjectAltName
- Twisted's minimum Cryptography requirement is now 2.5.

- twisted.web.proxy.ReverseProxyResource fixed documentation and example snippet
- twisted.python.failure.Failure.getTracebackObject now returns traceback \ 
objects whose frames can be passed into traceback.print_stack for better \ 
debugging of where the exception came from.
- twisted.internet.ssl.KeyPair.generate: No longer generate 1024-bit RSA keys by \ 
default. Anyone who generated a key with this method using the default value \ 
should move to replace it immediately.
- The message of twisted.internet.error.ConnectionAborted is no longer truncated.
- twisted.enterprise.adbapi.ConnectionPool.connect now logs only the dbapiName \ 
and not the connection arguments, which may contain credentials
- twisted.python.runtime.Platform.supportsINotify no longer considers the result \ 
of isDocker for its own result.

Improved Documentation
- The documentation for the the twisted.internet.interfaces.IConsumer, \ 
IProducer, and IPullProducer interfaces is more detailed.
- The errback example in the docstring of twisted.logger.Logger.failure has been \ 
- The sample code in the "Twisted Web In 60 Seconds" tutorial runs on \ 
Python 3.

- twisted.conch.ssh.keys can now read private keys in the new \ 
"openssh-key-v1" format, introduced in OpenSSH 6.5 and made the \ 
default in OpenSSH 7.8.

- Conch now uses pyca/cryptography for Diffie-Hellman key generation and agreement.

- twisted.web.client.HostnameCachingHTTPSPolicy was added as a new \ 
contextFactory option.  The policy caches a specified number of \ 
twisted.internet.interfaces.IOpenSSLClientConnectionCreator instances to to \ 
avoid the cost of instantiating a connection creator for multiple requests to \ 
the same host.

- twisted.web.http.Request.cookies, twisted.web.http.HTTPChannel.writeHeaders, \ 
and twisted.web.http_headers.Headers were all vulnerable to header injection \ 
attacks.  They now replace linear whitespace ('\r', '\n', and '\r\n') with a \ 
single space.  twisted.web.http.Reqeuest.cookies also replaces semicolons (';') \ 
with a single space.
- twisted.web.client.Request and twisted.web.client.HTTPClient were both \ 
vulnerable to header injection attacks.  They now replace linear whitespace \ 
('\r', '\n', and '\r\n') with a single space.

- twisted.names.dns now has IRecord implementations for the SSHFP and TSIG \ 
record types.