From ${URL} : An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command. Reference: https://bugs.python.org/issue36276 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
According to the upstream bug version 1.24.3 now fixes this: https://github.com/urllib3/urllib3/issues/1553
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9 commit 1cd1842cd013485101789106c7b25c8999cff9e9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-07-14 12:46:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-07-14 12:48:20 +0000 dev-lang/python: Bump to 3.6.9 Bug: https://bugs.gentoo.org/689822 Bug: https://bugs.gentoo.org/680246 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+)
Patch included in 2.7.17 which is not yet in repository. 3.5.8rc1: https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a
All affected versions should be gone now.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi).