CVE-2024-6923

Name	CVE-2024-6923
Description	There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy (PTS)	jessie	2.4.0+dfsg-3	vulnerable
	stretch	5.6.0+dfsg-4	vulnerable
	buster	7.0.0+dfsg-3	vulnerable
	bullseye	7.3.3+dfsg-2	vulnerable
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	vulnerable
	stretch (security)	2.7.13-2+deb9u6	vulnerable
	stretch (lts), stretch	2.7.13-2+deb9u9	vulnerable
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	vulnerable
	bullseye	2.7.18-8+deb11u1	vulnerable
python3.11 (PTS)	bookworm	3.11.2-6+deb12u4	vulnerable
	bookworm (security)	3.11.2-6+deb12u3	vulnerable
python3.12 (PTS)	sid, trixie	3.12.7-3	fixed
python3.13 (PTS)	sid, trixie	3.13.0-2	fixed
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u18	vulnerable
python3.5 (PTS)	stretch (security)	3.5.3-1+deb9u5	vulnerable
	stretch (lts), stretch	3.5.3-1+deb9u10	vulnerable
python3.7 (PTS)	buster, buster (lts)	3.7.3-2+deb10u8	vulnerable
	buster (security)	3.7.3-2+deb10u7	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
pypy	source	jessie	(unfixed)	end-of-life
pypy	source	(unstable)	(unfixed)
python2.7	source	(unstable)	(unfixed)
python3.11	source	(unstable)	(unfixed)
python3.12	source	(unstable)	3.12.5-1
python3.13	source	(unstable)	3.13.0~rc2-1
python3.4	source	(unstable)	(unfixed)
python3.5	source	(unstable)	(unfixed)
python3.7	source	(unstable)	(unfixed)
python3.9	source	(unstable)	(unfixed)

Notes

[bookworm] - python3.11 <postponed> (Minor issue, wait until merged into 3.11 branch)
[bullseye] - python3.9 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
https://github.com/python/cpython/issues/121650
https://github.com/python/cpython/pull/122233
https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 (v3.13.0rc2)
https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7 (v3.12.5)
https://github.com/python/cpython/commit/f7c0f09e69e950cf3c5ada9dbde93898eb975533 (v3.11.10)
https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147 (v3.10.15)
https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6 (v3.9.20)
[buster] - pypy <postponed> (Minor issue)
[stretch] - pypy <postponed> (Minor issue)
[buster] - python2.7 <postponed> (Minor issue)
[stretch] - python2.7 <postponed> (Minor issue)
[jessie] - python2.7 <postponed> (Minor issue)
[jessie] - python3.4 <postponed> (Minor issue)
[stretch] - python3.5 <postponed> (Minor issue)
[buster] - python3.7 <postponed> (Minor issue)