Date: Tue, 14 Jun 2016 14:16:24 -0700 From: Tim <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client > I would like to request a CVE for a Python header injection flaw in > urrlib2/urllib/httplib/http.client. > > HTTPConnection.putheader() allows unsafe characters, which can be used to > inject additional headers. > > Upstream bug with reproducer : > https://bugs.python.org/issue22928 Thank you for requesting a CVE Cedric. I have additional information about this bug, including an additional exploitation path, which I shared with Python security on January 14, 2016. Unfortunately, they have apparently failed to act to notify the public or acquire a CVE. (They stopped responding to me months ago.) I'll post the additional information soon, once I am back at my desk. In the mean time, do you happen to have specific information on which versions of the 2.x and 3.x upstream branches were affected/fixed? Thanks! tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ