PublicDateAtUSN: 2020-09-27 04:15:00 UTC Candidate: CVE-2020-26116 PublicDate: 2020-09-27 04:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116 https://python-security.readthedocs.io/vuln/http-header-injection-method.html https://ubuntu.com/security/notices/USN-4581-1 https://ubuntu.com/security/notices/USN-4754-3 Description: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. Ubuntu-Description: Notes: Mitigation: Bugs: https://bugs.python.org/issue39603 Priority: medium Discovered-by: Assigned-to: leosilva CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N [7.2 HIGH] Patches_python2.7: upstream_python2.7: needs-triage precise/esm_python2.7: released (2.7.3-0ubuntu3.19) trusty_python2.7: ignored (out of standard support) trusty/esm_python2.7: released (2.7.6-8ubuntu0.6+esm7) xenial_python2.7: released (2.7.12-1ubuntu0~16.04.13) esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.13) bionic_python2.7: released (2.7.17-1~18.04ubuntu1.2) focal_python2.7: released (2.7.18-1~20.04.1) groovy_python2.7: ignored (reached end-of-life) hirsute_python2.7: ignored (reached end-of-life) impish_python2.7: needs-triage jammy_python2.7: needs-triage devel_python2.7: needs-triage Patches_python3.4: upstream_python3.4: needs-triage precise/esm_python3.4: DNE trusty_python3.4: ignored (out of standard support) trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7+esm8) xenial_python3.4: DNE bionic_python3.4: DNE focal_python3.4: DNE groovy_python3.4: DNE hirsute_python3.4: DNE impish_python3.4: DNE jammy_python3.4: DNE devel_python3.4: DNE Patches_python3.5: upstream: https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 (v3.5.10) upstream_python3.5: needs-triage precise/esm_python3.5: DNE trusty_python3.5: ignored (out of standard support) trusty/esm_python3.5: needs-triage xenial_python3.5: released (3.5.2-2ubuntu0~16.04.12) esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.12) bionic_python3.5: DNE focal_python3.5: DNE groovy_python3.5: DNE hirsute_python3.5: DNE impish_python3.5: DNE jammy_python3.5: DNE devel_python3.5: DNE Patches_python3.6: upstream: https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae (v3.6.12) upstream_python3.6: needs-triage precise/esm_python3.6: DNE trusty_python3.6: DNE trusty/esm_python3.6: DNE xenial_python3.6: DNE bionic_python3.6: released (3.6.9-1~18.04ubuntu1.3) focal_python3.6: DNE groovy_python3.6: DNE hirsute_python3.6: DNE impish_python3.6: DNE jammy_python3.6: DNE devel_python3.6: DNE Patches_python3.7: upstream: https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a (v3.7.9) upstream_python3.7: needs-triage precise/esm_python3.7: DNE trusty_python3.7: DNE trusty/esm_python3.7: DNE xenial_python3.7: DNE bionic_python3.7: needed focal_python3.7: DNE groovy_python3.7: DNE hirsute_python3.7: DNE impish_python3.7: DNE jammy_python3.7: DNE devel_python3.7: DNE Patches_python3.8: upstream: https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf (v3.8.5) upstream_python3.8: needs-triage precise/esm_python3.8: DNE trusty_python3.8: DNE trusty/esm_python3.8: DNE xenial_python3.8: DNE bionic_python3.8: needed focal_python3.8: not-affected groovy_python3.8: not-affected hirsute_python3.8: DNE impish_python3.8: DNE jammy_python3.8: DNE devel_python3.8: DNE Patches_python3.9: upstream: https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71 (v3.9.0b5) upstream_python3.9: released (3.9.0~b5-1) precise/esm_python3.9: DNE trusty_python3.9: DNE trusty/esm_python3.9: DNE xenial_python3.9: DNE bionic_python3.9: DNE focal_python3.9: not-affected (3.9.0-5~20.04) groovy_python3.9: not-affected (3.9.0-5) hirsute_python3.9: not-affected (3.9.0-5) impish_python3.9: not-affected (3.9.0-5) jammy_python3.9: DNE devel_python3.9: DNE