Issue2555

classification
Title: CVE-2016-5699
Type: security Severity: normal
Components: Library Versions: Jython 2.7
Milestone: Jython 2.7.1
process
Status: pending Resolution: invalid
Dependencies: Superseder:
Assigned To: stefan.richthofer Nosy List: jduffy3, stefan.richthofer
Priority: urgent Keywords:

Created on 2017-02-22.12:14:58 by jduffy3, last changed 2017-03-03.18:20:30 by stefan.richthofer.

Messages
msg11111 (view) Author: James Duffy (jduffy3) Date: 2017-02-22.12:14:57
The following vulnerability was identified in Python 2.7

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

I see the latest jar of Jython doesn't include the fix for this. Is this going to be patched any time?

Thanks!
msg11115 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-02-23.16:21:42
I will check if urllib can be updated to the latest CPython 2.7 version.
We should update lib-python to newest version anyway. Hope this won't break too much...
msg11167 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-03-03.16:15:17
It looks like the security fix you point to has already been adopted by Jython, see https://github.com/jythontools/jython/commit/44778c418139df183d6b0929e7cc23801827aef4

I tried to update the whole std-lib, but that causes to many failures to make it into 2.7.1. I will open a separate issue for that.
msg11170 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-03-03.18:20:29
Still, as of https://hg.python.org/jython/rev/16b977e954b4 I updated urllib, urllib2, httplib to 2.7.13 version, just in case.
History
Date User Action Args
2017-03-03 18:20:30stefan.richthofersetmessages: + msg11170
2017-03-03 16:15:17stefan.richthofersetstatus: open -> pending
assignee: stefan.richthofer
resolution: invalid
messages: + msg11167
2017-02-27 04:43:10zyasoftsetpriority: urgent
milestone: Jython 2.7.1
2017-02-23 16:21:43stefan.richthofersetnosy: + stefan.richthofer
messages: + msg11115
2017-02-22 12:14:58jduffy3create