CVE-2016-5699: Input Validation
First published: Mon Nov 24 2014(Updated: )
A vulnerability in Python's http, ftp and url libraries was reported, allowing to inject additional HTTP headers and more. * Upstream bug: <a href="https://bugs.python.org/issue22928">https://bugs.python.org/issue22928</a> * Upstream patches Python 3.4 / 3.5 : revision 94952 : <a href="https://hg.python.org/cpython/rev/bf3e1c9b80e9">https://hg.python.org/cpython/rev/bf3e1c9b80e9</a> Python 2.7 : revision 94951 : <a href="https://hg.python.org/cpython/rev/1c45047c5102">https://hg.python.org/cpython/rev/1c45047c5102</a> Additional note : When used in combination with flaw described in <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters" href="show_bug.cgi?id=1347549">BZ 1347549</a>, an attacker could direct an HTTP connection to a malicious server, using the following combined issues: * Python's httplib does not validate HTTP header values. A malicious 'Host' header with quoted new lines can inject additional headers and more * glibc's getaddrinfo() ignores new lines and everything after a new line character when the first part looks like a IPv4 address See the following blog post for additional information: <a href="http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html">http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python | <0:2.6.6-66.el6_8 | 0:2.6.6-66.el6_8 |
| redhat/python | <0:2.7.5-38.el7_2 | 0:2.7.5-38.el7_2 |
| redhat/python27-python | <0:2.7.8-18.el6 | 0:2.7.8-18.el6 |
| redhat/python33-python | <0:3.3.2-18.el6 | 0:3.3.2-18.el6 |
| redhat/rh-python34-python | <0:3.4.2-14.el6 | 0:3.4.2-14.el6 |
| redhat/rh-python35-python | <0:3.5.1-9.el7 | 0:3.5.1-9.el7 |
| redhat/python27-python | <0:2.7.8-16.el7 | 0:2.7.8-16.el7 |
| redhat/python33-python | <0:3.3.2-16.el7 | 0:3.3.2-16.el7 |
| redhat/rh-python34-python | <0:3.4.2-13.el7 | 0:3.4.2-13.el7 |
| Python 2.7 | <=2.7.9 | |
| Python 2.7 | =3.0 | |
| Python 2.7 | =3.0.1 | |
| Python 2.7 | =3.1.0 | |
| Python 2.7 | =3.1.1 | |
| Python 2.7 | =3.1.2 | |
| Python 2.7 | =3.1.3 | |
| Python 2.7 | =3.1.4 | |
| Python 2.7 | =3.1.5 | |
| Python 2.7 | =3.2.0 | |
| Python 2.7 | =3.2.1 | |
| Python 2.7 | =3.2.2 | |
| Python 2.7 | =3.2.3 | |
| Python 2.7 | =3.2.4 | |
| Python 2.7 | =3.2.5 | |
| Python 2.7 | =3.2.6 | |
| Python 2.7 | =3.3.0 | |
| Python 2.7 | =3.3.1 | |
| Python 2.7 | =3.3.2 | |
| Python 2.7 | =3.3.3 | |
| Python 2.7 | =3.3.4 | |
| Python 2.7 | =3.3.5 | |
| Python 2.7 | =3.3.6 | |
| Python 2.7 | =3.4.0 | |
| Python 2.7 | =3.4.1 | |
| Python 2.7 | =3.4.2 | |
| Python 2.7 | =3.4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2016-5699 https://nvd.nist.gov/vuln/detail/CVE-2016-5699
- https://bugzilla.redhat.com/show_bug.cgi?id=1303699
- https://access.redhat.com/errata/RHSA-2016:1626
- https://access.redhat.com/errata/RHSA-2016:1628
- https://access.redhat.com/errata/RHSA-2016:1629
- https://access.redhat.com/errata/RHSA-2016:1630
- https://access.redhat.com/errata/RHSA-2016:1627
- https://access.redhat.com/security/cve/CVE-2016-5699
- https://bugs.python.org/issue22928
- https://hg.python.org/cpython/rev/bf3e1c9b80e9
- https://hg.python.org/cpython/rev/1c45047c5102
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1347549
- http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1331391
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1331390
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1331393
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1331392
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1303699#c4
- http://seclists.org/oss-sec/2016/q2/561
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1348973
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1348982
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1351685
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1351687
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1351691
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1351692
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1351694
- https://rhn.redhat.com/errata/RHSA-2016-1627.html
- https://rhn.redhat.com/errata/RHSA-2016-1626.html
- https://rhn.redhat.com/errata/RHSA-2016-1628.html
- https://rhn.redhat.com/errata/RHSA-2016-1630.html
- https://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2016-1626.html
- http://rhn.redhat.com/errata/RHSA-2016-1627.html
- http://rhn.redhat.com/errata/RHSA-2016-1628.html
- http://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://rhn.redhat.com/errata/RHSA-2016-1630.html
- http://www.openwall.com/lists/oss-security/2016/06/14/7
- http://www.openwall.com/lists/oss-security/2016/06/15/12
- http://www.openwall.com/lists/oss-security/2016/06/16/2
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91226
- http://www.splunk.com/view/SP-CAAAPSV
- http://www.splunk.com/view/SP-CAAAPUE
- https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
- https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
- https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2016-5699?
CVE-2016-5699 has a medium severity level, allowing for the injection of additional HTTP headers in affected Python libraries.
How do I fix CVE-2016-5699?
To fix CVE-2016-5699, upgrade your Python package to a version that includes the upstream patches addressing this vulnerability.
Which versions of Python are affected by CVE-2016-5699?
CVE-2016-5699 affects multiple versions of Python, including versions prior to 2.7.9 and specific releases up to 3.5.1.
What libraries in Python does CVE-2016-5699 impact?
CVE-2016-5699 specifically impacts the http, ftp, and url libraries within Python.
Is there a specific package recommended for CVE-2016-5699 remediation?
Yes, updating to the specific recommended packages such as python-2.7.9 or later, python27-python-2.7.8-16.el7, or rh-python34-python-3.4.2-14.el6 is needed for remediation.
- collector/redhat-cve
- collector/redhat-bugzilla
- alias/CVE-2016-5699
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/python
- canonical/python 2.7
- version/python 2.7/2.7.9
- version/python 2.7/3.0
- version/python 2.7/3.0.1
- version/python 2.7/3.1.0
- version/python 2.7/3.1.1
- version/python 2.7/3.1.2
- version/python 2.7/3.1.3
- version/python 2.7/3.1.4
- version/python 2.7/3.1.5
- version/python 2.7/3.2.0
- version/python 2.7/3.2.1
- version/python 2.7/3.2.2
- version/python 2.7/3.2.3
- version/python 2.7/3.2.4
- version/python 2.7/3.2.5
- version/python 2.7/3.2.6
- version/python 2.7/3.3.0
- version/python 2.7/3.3.1
- version/python 2.7/3.3.2
- version/python 2.7/3.3.3
- version/python 2.7/3.3.4
- version/python 2.7/3.3.5
- version/python 2.7/3.3.6
- version/python 2.7/3.4.0
- version/python 2.7/3.4.1
- version/python 2.7/3.4.2
- version/python 2.7/3.4.3