A security issue was found in Python. Built-in modules httplib/http.client do not properly validate CRLF sequences in the HTTP request method, potentially allowing to manipulate the request by injecting additional HTTP headers. Vulnerable modules: * httplib (Python 2) * http.client (Python 3) References: * https://python-security.readthedocs.io/vuln/http-header-injection-method.html * https://bugs.python.org/issue39603 Upstream patch PR (merged upstream): * https://github.com/python/cpython/pull/18485 Upstream commits: * https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e [master] * https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf [python-3.8.5] * https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a [python-3.7.9] * https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae [python-3.6.12] * https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 [python-3.5.10]
Statement: Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1883247] Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1883248] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1883243] Created python27 tracking bugs for this issue: Affects: fedora-all [bug 1883244] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1883246] Affects: fedora-all [bug 1883245]
External References: https://python-security.readthedocs.io/vuln/http-header-injection-method.html
*** Bug 1875728 has been marked as a duplicate of this bug. ***
*** Bug 1875735 has been marked as a duplicate of this bug. ***
FEDORA-2020-221823ebdd has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26116
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3366 https://access.redhat.com/errata/RHSA-2021:3366
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5235 https://access.redhat.com/errata/RHSA-2022:5235