python-gunicorn before version 19.5.0 has a HTTP response splitting vulnerability in the http/wsgi.py:process_headers() function caused by the improper neutralization of CRLF sequences. An attacker could exploit this to cause a server to return arbitrary HTTP headers. External References: https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5 Upstream Issue: https://github.com/benoitc/gunicorn/issues/1227 Upstream Patch: https://github.com/benoitc/gunicorn/commit/5263a4ef2a63c62216680876f3813959839608ff
Created python-gunicorn tracking bugs for this issue: Affects: epel-6 [bug 1564941]
The version shipped with OpenStack 12 is 19.7.1 and contains the latest fixes.