CVE-2016-5699

Advisory

Python versions 2.7.10, 3.3.7 and 3.4.4 include a fix for CVE-2016-5699: CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
https://bugs.python.org/issue22928

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699
• http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
• https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
• https://hg.python.org/cpython/rev/bf3e1c9b80e9
• http://www.openwall.com/lists/oss-security/2016/06/15/12
• http://www.openwall.com/lists/oss-security/2016/06/16/2
• http://www.openwall.com/lists/oss-security/2016/06/14/7
• https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
• https://hg.python.org/cpython/rev/1c45047c5102
• http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
• http://www.securityfocus.com/bid/91226
• http://www.splunk.com/view/SP-CAAAPUE
• http://www.splunk.com/view/SP-CAAAPSV
• http://rhn.redhat.com/errata/RHSA-2016-1630.html
• http://rhn.redhat.com/errata/RHSA-2016-1629.html
• http://rhn.redhat.com/errata/RHSA-2016-1628.html
• http://rhn.redhat.com/errata/RHSA-2016-1627.html
• http://rhn.redhat.com/errata/RHSA-2016-1626.html
• https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html