FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- HTTP Header Injection in Python urllib

Affected packages
python27 < 2.7.10
0 <= python33
python34 < 3.4.4
python35 < 3.5.0

Details

VuXML ID a61374fc-3a4d-11e6-a671-60a44ce6887b
Discovery 2014-11-24
Entry 2016-06-30
Modified 2016-07-04

Guido Vranken reports:

HTTP header injection in urrlib2/urllib/httplib/http.client with newlines in header values, where newlines have a semantic consequence of denoting the start of an additional header line.

References

CVE Name CVE-2016-5699
URL http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
URL http://www.openwall.com/lists/oss-security/2016/06/14/7
URL https://bugs.python.org/issue22928