Bug 1883014 (CVE-2020-26116) - CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client
Summary: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-26116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1875728 1875735 (view as bug list)
Depends On: 1883243 1883244 1883245 1883246 1883247 1883248 Red Hat1883254 Red Hat1883255 Red Hat1883256 Red Hat1883257 Red Hat1883258 Red Hat1883259 Red Hat1883260 Red Hat1883261 Red Hat1883433 Red Hat1883434 Red Hat1883435 Red Hat1883436 Red Hat1883437 Red Hat1883438 Red Hat1883439 Red Hat1883441 Red Hat1883469 Red Hat1883470 Red Hat1883541 Red Hat1885287 Red Hat1972200 Red Hat1972201
Blocks: 1875735 Embargoed1877556
TreeView+ depends on / blocked
 
Reported: 2020-09-27 13:38 UTC by Mauro Matteo Cascella
Modified: 2022-06-28 09:47 UTC (History)
31 users (show)

Fixed In Version: python 3.8.5, python 3.7.9, python 3.6.12, python 3.5.10
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:55 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4273 0 None None None 2020-10-20 16:00:54 UTC
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:51 UTC
Red Hat Product Errata RHSA-2020:4299 0 None None None 2020-10-20 20:00:19 UTC
Red Hat Product Errata RHSA-2021:3366 0 None None None 2021-08-31 09:22:18 UTC
Red Hat Product Errata RHSA-2022:5235 0 None None None 2022-06-28 09:47:03 UTC

Description Mauro Matteo Cascella 2020-09-27 13:38:10 UTC
A security issue was found in Python. Built-in modules httplib/http.client do not properly validate CRLF sequences in the HTTP request method, potentially allowing to manipulate the request by injecting additional HTTP headers.

Vulnerable modules:
* httplib (Python 2)
* http.client (Python 3)

References:
* https://python-security.readthedocs.io/vuln/http-header-injection-method.html
* https://bugs.python.org/issue39603

Upstream patch PR (merged upstream):
* https://github.com/python/cpython/pull/18485

Upstream commits:
* https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e [master]
* https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf [python-3.8.5]
* https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a [python-3.7.9]
* https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae [python-3.6.12]
* https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 [python-3.5.10]

Comment 1 Mauro Matteo Cascella 2020-09-28 10:56:23 UTC
Statement:

Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.

Comment 2 Mauro Matteo Cascella 2020-09-28 14:56:19 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1883247]


Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1883248]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1883243]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1883244]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1883246]
Affects: fedora-all [bug 1883245]

Comment 7 Mauro Matteo Cascella 2020-09-29 12:05:13 UTC
External References:

https://python-security.readthedocs.io/vuln/http-header-injection-method.html

Comment 9 Mauro Matteo Cascella 2020-10-05 10:49:11 UTC
*** Bug 1875728 has been marked as a duplicate of this bug. ***

Comment 10 Mauro Matteo Cascella 2020-10-05 10:50:29 UTC
*** Bug 1875735 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2020-10-05 16:35:11 UTC
FEDORA-2020-221823ebdd has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2020-10-19 18:05:48 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 17 Product Security DevOps Team 2020-10-19 20:21:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26116

Comment 18 errata-xmlrpc 2020-10-20 16:00:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273

Comment 21 errata-xmlrpc 2020-10-20 20:00:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299

Comment 22 errata-xmlrpc 2021-05-18 13:51:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633

Comment 23 errata-xmlrpc 2021-05-18 14:50:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1761 https://access.redhat.com/errata/RHSA-2021:1761

Comment 24 errata-xmlrpc 2021-05-18 15:48:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1879 https://access.redhat.com/errata/RHSA-2021:1879

Comment 27 errata-xmlrpc 2021-08-31 09:22:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3366 https://access.redhat.com/errata/RHSA-2021:3366

Comment 28 errata-xmlrpc 2022-06-28 09:46:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5235 https://access.redhat.com/errata/RHSA-2022:5235


Note You need to log in before you can comment on or make changes to this bug.