Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN077
_____________________________________________________________________

DATE                : 26/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
_____________________________________________________________________


[CVE-2026-1299] email BytesGenerator header injection due to unquoted
newlines

Seth Larson
23 janvier 2026 16:29

There is a MEDIUM severity vulnerability affecting CPython.

The email module, specifically the "BytesGenerator" class, didn’t
properly quote newlines for email headers when
serializing an email message allowing for header injection when an
email is serialized. This is only applicable if using "LiteralHeader"
while writing headers that don't respect email folding rules, the new
behavior will reject the incorrectly folded headers in
"BytesGenerator".

Please see the linked CVE ID for the latest information on
affected versions:

    https://www.cve.org/CVERecord?id=CVE-2026-1299
    https://github.com/python/cpython/pull/144126


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================