This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author rschiron
Recipients benjamin.peterson, cstratak, gregory.p.smith, jaraco, larry, lukasz.langa, martin.panter, miss-islington, ned.deily, orange, rschiron, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-10-24.08:12:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1571904749.3.0.802307895867.issue30458@roundup.psfhosted.org>
In-reply-to
Content 
I have created https://bugs.python.org/issue38576 to address CVE-2019-18348.

@gregory.p.smith if you have particular complains about these CVEs feel free to let me know (even privately). I think the security impact of these flaws is: an application that relies on urlopen/HTTPConnection/etc. where either the query part, the path part or the host part are user-controlled, could be exploited to send unintended HTTP headers to other hosts (maybe services that would not be directly reachable by the user).

FYI, there were some good replies to that CVE talk, one of which is https://grsecurity.net/reports_of_cves_death_greatly_exaggerated .
History
Date User Action Args
2019-10-24 08:12:29rschironsetrecipients: + rschiron, gregory.p.smith, jaraco, vstinner, larry, benjamin.peterson, ned.deily, lukasz.langa, martin.panter, serhiy.storchaka, xiang.zhang, cstratak, orange, miss-islington, xtreak, ware
2019-10-24 08:12:29rschironsetmessageid: <1571904749.3.0.802307895867.issue30458@roundup.psfhosted.org>
2019-10-24 08:12:29rschironlinkissue30458 messages
2019-10-24 08:12:28rschironcreate