Fabre

#1126742 jython: CVE-2026-0865 #1126742

Package:: src:jython

Source:: src:jython

Submitter:: Salvatore Bonaccorso

Date:: 2026-03-05 17:41:09 UTC

Severity:: normal

Tags:

#1126742#5

Date:: 2026-02-01 08:18:29 UTC

From:

To:

Source: python3.14
Version: 3.14.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/python/cpython/issues/143916
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:python3.13 3.13.11-1
Control: retitle -2 python3.13: CVE-2026-0865
Control: reassign -3 src:pypy3 7.3.20+dfsg-4
Control: retitle -3 pypy3: CVE-2026-0865
Control: reassign -4 src:jython 2.7.3+repack1-1
Control: retitle -4 jython: CVE-2026-0865

Hi,

The following vulnerability was published for python.

CVE-2026-0865[0]:
| User-controlled header names and values containing newlines can
| allow injecting HTTP headers.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-0865
https://www.cve.org/CVERecord?id=CVE-2026-0865
[1] https://github.com/python/cpython/issues/143916
[2] https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1126742 jython: CVE-2026-0865 #1126742

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)