urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which
makes it easier for remote attackers to bypass protection mechanisms that
blacklist file: URIs, as demonstrated by triggering a
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.2. CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string or
PATH_INFO) followed by an HTTP header or a Redis command. This is similar to
CVE-2019-9947 is handled in bug 680246.
2.7: Fixed in 2.7.17 which is not yet available in Gentoo repository.
All affected versions should be gone now.
Added to an existing GLSA.
This issue was resolved and addressed in
GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).