An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740 query string issue. Reference: https://bugs.python.org/issue35906
Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1695599]
Created python3-urllib3 tracking bugs for this issue: Affects: epel-all [bug 1695600]
The main Python issue became https://bugs.python.org/issue30458 which is a superseder of multiple issues. The issue is known somehow since 2011. A first issue about HTTP Header Injection has been reported and then fixed in 2014, CVE-2016-5699 has been assigned to this issue: https://bugs.python.org/issue22928 In 2017, a new issue has been reported because bpo-22928 https://bugs.python.org/issue22928 fix is incomplete, CVE-2019-9740 and CVE-2019-9947 have been assigned to this new issue: https://bugs.python.org/issue30458 For more info about the history of this issue, see: https://bugs.python.org/issue30458#msg339846 -- Vulnerable Python modules: * urllib and/or urllib2 of Python 2 * urllib of Python 3 * urllib3 urllib3 is not part of Python standard library, it's hosted at https://github.com/urllib3/urllib3 and it is used inside the popular requests module. The urllib3 issue is tracked at: https://github.com/urllib3/urllib3/issues/1553
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1698976] Created python34 tracking bugs for this issue: Affects: fedora-all [bug 1698977] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1698978]
Created python34 tracking bugs for this issue: Affects: epel-all [bug 1698979]
Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1698980]
Created python37 tracking bugs for this issue: Affects: fedora-28 [bug 1698981]
Created python36 tracking bugs for this issue: Affects: fedora-29 [bug 1698982]
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1700684]
> Vulnerable Python modules: > > * urllib and/or urllib2 of Python 2 > * urllib of Python 3 > * urllib3 > > urllib3 is not part of Python standard library, it's hosted at https://github.com/urllib3/urllib3 and it is used inside the popular requests module. > > The urllib3 issue is tracked at: > https://github.com/urllib3/urllib3/issues/1553 See CVE-2019-11236 (bug 1700824)
With regard to the urllib module in python, there is still no fix accepted upstream.
This flaw should be fixed by the same fix used for CVE-2019-9740.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260
This flaw is about CLRF sequences that are not properly handled in python built-in modules urllib/urllib2 in the *path* part of the url parameter of urlopen() function.
In reply to comment #15: > This flaw should be fixed by the same fix used for CVE-2019-9740. The fix for CVE-2019-9740 (https://github.com/python/cpython/pull/12755/files) does not correctly cover the case when the CRLF sequences are in the hostname part of the URL. However, when that is the case, glibc getaddrinfo() function should return an error when trying to resolve the invalid hostname, assuming glibc is not vulnerable to CVE-2016-10739. When glibc is still vulnerable to CVE-2016-10739, a proper fix in python is required to properly validate the hostname part of the URL and to prevent CRLF sequences injection.
This flaws has been fixed with the same patch used for CVE-2019-9740, which is: https://github.com/python/cpython/commit/c4e671eec20dfcb29b18596a89ef075f826c9f96 [master] https://github.com/python/cpython/commit/b7378d77289c911ca6a0c0afaf513879002df7d5 [master] https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 [python-2.7]
Reference: https://python-security.readthedocs.io/vuln/http-header-injection2.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Telco Extended Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462