Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 14:16:24 -0700
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: Python HTTP header injection in
 urrlib2/urllib/httplib/http.client


> I would like to request a CVE for a Python header injection flaw in
> urrlib2/urllib/httplib/http.client.
> 
> HTTPConnection.putheader() allows unsafe characters, which can be used to
> inject additional headers.
> 
> Upstream bug with reproducer :
> https://bugs.python.org/issue22928


Thank you for requesting a CVE Cedric.  I have additional information
about this bug, including an additional exploitation path, which I
shared with Python security on January 14, 2016.  Unfortunately, they
have apparently failed to act to notify the public or acquire a CVE.
(They stopped responding to me months ago.)  I'll post the additional
information soon, once I am back at my desk.

In the mean time, do you happen to have specific information on which
versions of the 2.x and 3.x upstream branches were affected/fixed?

Thanks!
tim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ