Skip to content

Multiple CVE fixes #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
frenzymadness wants to merge 4 commits into
base: fedora-3.6
Choose a base branch
from
Open

Multiple CVE fixes #138

frenzymadness wants to merge 4 commits into from

Conversation

@frenzymadness
Copy link
Member

@frenzymadness frenzymadness commented Jan 30, 2026

No description provided.

@frenzymadness frenzymadness requested a review from hroncok January 30, 2026 13:57
@hroncok
Copy link
Member

hroncok commented Feb 2, 2026

First of all, I have manually verified that this successfully fixes CVE-2026-0865 and CVE-2026-1299.

hroncok
hroncok requested changes Feb 2, 2026
View reviewed changes
Copy link
Member

@hroncok hroncok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feedback about the commits.

  • Correct: The backports seem correct to me.
  • Must: Attribute the author of python@45b2f88 in the patch that added this as Co-authored-by.
  • Optional but recommended: Mention which commits were cherry-picked in all commit messages.

gpshead and others added 4 commits February 2, 2026 12:08
@gpshead @sethmlarson @frenzymadness
00473: CVE-2026-0865
881d22e 
pythongh-143916: Reject control characters in wsgiref.headers.Headers  (pythonGH-143917)

* Add 'test.support' fixture for C0 control characters
* pythongh-143916: Reject control characters in wsgiref.headers.Headers

(cherry picked from commit 2f84024)

Co-authored-by: Seth Michael Larson <seth@python.org>
@sethmlarson @frenzymadness
00474: CVE-2025-15366
871d333 
pythongh-143921: Reject control characters in IMAP commands

(cherry-picked from commit 6262704)
@sethmlarson @frenzymadness
00475: CVE-2025-15367
e726e85 
pythongh-143923: Reject control characters in POP3 commands

(cherry-picked from commit b234a2b)
@miss-islington @jenstroeger @frenzymadness
00476: CVE-2026-1299
84728b6 
pythongh-144125: email: verify headers are sound in BytesGenerator

(cherry picked from commit 8cdf620)

Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Denis Ledoux <dle@odoo.com>
Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>

The fix for the CVE uncovered a known issue in handling
policy.linesep lengths fixed by:

bpo-34424: Handle different policy.linesep lengths correctly. (python#8803)

(cherry-picked from commit 45b2f88)

Co-authored-by: Jens Troeger <jenstroeger@users.noreply.github.com>
hroncok
hroncok approved these changes Feb 2, 2026
View reviewed changes
Copy link
Member

@hroncok hroncok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hroncok hroncok hroncok approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@frenzymadness @hroncok @gpshead @sethmlarson @miss-islington