http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. Links: https://bugs.python.org/issue39603 https://nvd.nist.gov/vuln/detail/CVE-2020-26116 https://www.tenable.com/cve/CVE-2020-26116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116 https://vuldb.com/?id.162034 Reproducible: Always
Solution: Upgrading to version 3.5.10, 3.6.12, 3.7.9 or 3.8.5 eliminates this vulnerability. (Currently we have 3.6.11-r2 and 3.7.8-r2 in repos.)
Actually, I'm pretty sure I've backported this fix to all slots.
This appears to have been handled in bug 728668 (>python:2) and bug 741502 (python:2). Filip, if a fix was not actually backported please reopen and let us know.
