Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-1502

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse ignored package haskellPackages.cpython 1 month, 2 weeks ago

HTTP client proxy tunnel headers not validated for CR/LF

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

References

https://github.com/python/cpython/pull/146212 patch
https://github.com/python/cpython/issues/146211 issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPA… vendor-advisory
https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef… patch

Affected products

http.client

<3.15.0

Ignored packages (1)

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0
nixos-25.11 3.9.0
- nixos-25.11-small 3.9.0
- nixpkgs-25.11-darwin 3.9.0