The ftplib module of Python 3.6.2 doesn't reject newline characters in arguments and so can be abused indirectly in the urllib module to inject arbitrary FTP commands. See https://bugs.python.org/issue30119 I suggest to backport the following fix to Python 3.6 of Fedora 26: https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512 Information about the vulnerability: http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html
Python 3.6 of Fedora 26 is different package. However, python36 would probably benefit form such backport as well.
python3-3.6.2-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-203f6f4a61
python3-3.6.2-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-203f6f4a61
python-setuptools-36.2.0-2.fc26 python3-3.6.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be5c1b152f
python-setuptools-36.2.0-2.fc26, python3-3.6.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be5c1b152f
python-setuptools-36.2.0-2.fc26, python3-3.6.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.