Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
It is possible to inject email headers using CR or LF character.
The fix disallows CR and LF characters in email.headerregistry.Address arguments to guard against header injection attacks.
Dates:
Disclosure date: 2019-12-17 (Python issue bpo-39073 reported)
Python 3.5.10 (2020-09-05) fixed by commit f91a0b6 (branch 3.5) (2020-06-12)
Python 3.6.11 (2020-06-27) fixed by commit 7df32f8 (branch 3.6) (2020-05-27)
Python 3.7.8 (2020-06-27) fixed by commit a93bf82 (branch 3.7) (2020-05-27)
Python 3.8.4 (2020-07-13) fixed by commit 75635c6 (branch 3.8) (2020-05-27)
Python 3.9.0 (2020-10-05) fixed by commit 614f172 (branch 3.9) (2020-03-30)
[security] email module incorrect handling of CR and LF newline characters in Address objects.
Python issue: bpo-39073
Creation date: 2019-12-17
Reporter: Jasper Spaans
Timeline using the disclosure date 2019-12-17 as reference:
2019-12-17: Python issue bpo-39073 reported by Jasper Spaans
2020-03-30 (+104 days): commit 614f172 (branch 3.9)
2020-05-27 (+162 days): commit 75635c6 (branch 3.8)
2020-05-27 (+162 days): commit 7df32f8 (branch 3.6)
2020-05-27 (+162 days): commit a93bf82 (branch 3.7)
2020-06-12 (+178 days): commit f91a0b6 (branch 3.5)
2020-06-27 (+193 days): Python 3.6.11 released
2020-06-27 (+193 days): Python 3.7.8 released
2020-07-13 (+209 days): Python 3.8.4 released
2020-09-05 (+263 days): Python 3.5.10 released
2020-10-05: Python 3.9.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4