Issue2555

The following vulnerability was identified in Python 2.7

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

I see the latest jar of Jython doesn't include the fix for this. Is this going to be patched any time?

Thanks!

I will check if urllib can be updated to the latest CPython 2.7 version.
We should update lib-python to newest version anyway. Hope this won't break too much...

It looks like the security fix you point to has already been adopted by Jython, see https://github.com/jythontools/jython/commit/44778c418139df183d6b0929e7cc23801827aef4

I tried to update the whole std-lib, but that causes to many failures to make it into 2.7.1. I will open a separate issue for that.

Still, as of https://hg.python.org/jython/rev/16b977e954b4 I updated urllib, urllib2, httplib to 2.7.13 version, just in case.