Bug 1303699 (CVE-2016-5699)
Summary: | CVE-2016-5699 python: http protocol steam injection attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | anemec, ashankar, cbuissar, cheimes, codonell, cstratak, fweimer, jorton, katzj, kevin, mcyprian, mhroncok, mmaslano, mnewsome, pfrankli, pviktori, python-sig, sardella, security-response-team, slawomir, tomspur, torsava |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-08-18 20:55:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1331391, 1331392, 1331393, 1346354, 1346355, 1346356, 1346357, 1346358, 1346359, 1346360, 1346361, 1348982, 1351685, 1351687, 1351691, 1351692, 1351694 | ||
Bug Blocks: | 1303701 |
Description
Adam Mariš
2016-02-01 17:02:48 UTC
Created python tracking bugs for this issue: Affects: fedora-all [bug 1331391] Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1331390] Created python26 tracking bugs for this issue: Affects: epel-5 [bug 1331393] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1331392] For the moment, setting glibc as wontfix as per comment 4. Python upstream fix for branch 2.7 : https://hg.python.org/cpython/rev/1c45047c5102 CVE assignment: http://seclists.org/oss-sec/2016/q2/561 Mitre has assigned this CVE for the Python part of this vulnerability as noted in the CVE assignment post. Created python34 tracking bugs for this issue: Affects: epel-7 [bug 1348973] Created python34 tracking bugs for this issue: Affects: epel-7 [bug 1348982] Also affects pypy3 in Fedora Created pypy tracking bugs for this issue: Affects: fedora-all [bug 1351685] Created pypy3 tracking bugs for this issue: Affects: fedora-all [bug 1351687] Created pypy tracking bugs for this issue: Affects: epel-5 [bug 1351691] Affects: epel-6 [bug 1351692] Affects: epel-7 [bug 1351694] pypy3-2.4.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. python3-3.4.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. pypy3-2.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. pypy3-2.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. python34-3.4.3-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html |