projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a0b032a) | patch
package/python: add upstream security fix for CVE-2019-9740
authorPeter Korsgaard <peter@korsgaard.com>
Wed, 28 Aug 2019 08:49:32 +0000 (10:49 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Wed, 28 Aug 2019 13:04:22 +0000 (15:04 +0200)
commite941599f69e6b50f860cb2b704a838875247a317
tree87ade5661b07f569babdf8fef459de4129e8f077tree
parenta0b032ad859b2e6e8cd5c6ba1c294526fd2bfed9commit | diff
package/python: add upstream security fix for CVE-2019-9740

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3.  CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/python/0041-bpo-30458-Disallow-control-chars-in-http-URLs-GH-127.patch [new file with mode: 0644] blob