Bug 1883014 (CVE-2020-26116)
| Summary: | CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adev88, bdettelb, carl, cbesson, cmoore, cstratak, dmalcolm, hhorak, jeffrey.ness, jiehuang, jorton, kaycoth, kevin, kmullins, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, sdunning, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomckay, tomspur, torsava, vstinner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.8.5, python 3.7.9, python 3.6.12, python 3.5.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-19 20:21:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1883243, 1883244, 1883245, 1883246, 1883247, 1883248, 1883254, 1883255, 1883256, 1883257, 1883258, 1883259, 1883260, 1883261, 1883433, 1883434, 1883435, 1883436, 1883437, 1883438, 1883439, 1883441, 1883469, 1883470, 1883541, 1885287, 1972200, 1972201 | ||
| Bug Blocks: | 1875735, 1877556 | ||
|
Description
Mauro Matteo Cascella
2020-09-27 13:38:10 UTC
Statement: Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language. Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1883247] Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1883248] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1883243] Created python27 tracking bugs for this issue: Affects: fedora-all [bug 1883244] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1883246] Affects: fedora-all [bug 1883245] External References: https://python-security.readthedocs.io/vuln/http-header-injection-method.html *** Bug 1875728 has been marked as a duplicate of this bug. *** *** Bug 1875735 has been marked as a duplicate of this bug. *** FEDORA-2020-221823ebdd has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26116 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3366 https://access.redhat.com/errata/RHSA-2021:3366 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5235 https://access.redhat.com/errata/RHSA-2022:5235 |