Summary: | dev-lang/python: CRLF injection in http.client (CVE-2020-26116) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.python.org/issue39603 | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 736854, 743232, 743235, 759928 | ||
Bug Blocks: |
Description
John Helmert III
![]() ![]() ![]() ![]() Maintainer, if 2.7 needs patching please do so. Unless I'm mistaken, this has been backported to all stable 3.x versions, and it is in >=2.7.18-r2. I'm going to do the cleanup now. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b36327f343dfda178953e30181c59c58d2f037bf commit b36327f343dfda178953e30181c59c58d2f037bf Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-10-15 19:43:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-10-15 19:43:40 +0000 dev-lang/python: Remove old 2.7 versions Bug: https://bugs.gentoo.org/749339 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 - dev-lang/python/python-2.7.18-r1.ebuild | 366 -------------------------------- dev-lang/python/python-2.7.18-r2.ebuild | 366 -------------------------------- dev-lang/python/python-2.7.18-r3.ebuild | 366 -------------------------------- 4 files changed, 1100 deletions(-) (In reply to Michał Górny from comment #2) > Unless I'm mistaken, this has been backported to all stable 3.x versions, > and it is in >=2.7.18-r2. I'm going to do the cleanup now. Are you sure? This is a different issue than the email CRLF bug. I can't find any Gentoo patches that touch the same files as the upstream patches. commit 138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 (HEAD -> gentoo-2.7-vanilla, gentoo/gentoo-2.7-vanilla) Author: Michał Górny <mgorny@gentoo.org> Date: 2020-09-10 13:39:48 +0200 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539) reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> [rebased for py2.7] Lib/httplib.py | 17 +++++++++++++++++ Lib/test/test_httplib.py | 20 ++++++++++++++++++++ 2 files changed, 37 insertions(+) This issue was resolved and addressed in GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18 by GLSA coordinator Aaron Bauman (b-man). |