Skip to content

Fix CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation#5

Merged
deepin-ci-robot merged 1 commit intomasterfrom
fix/CVE-2026-3902
Apr 15, 2026
Merged

Fix CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation#5
deepin-ci-robot merged 1 commit intomasterfrom
fix/CVE-2026-3902

Conversation

@deepin-ci-robot
Copy link
Copy Markdown
Contributor

@deepin-ci-robot deepin-ci-robot commented Apr 15, 2026
edited
Loading

CVE-2026-3902 修复

漏洞描述

ASGIRequest 允许远程攻击者通过利用两个 header 变体(带连字符或下划线)到单一版本(带下划线)的模糊映射来欺骗 headers。

影响版本

  • 6.0 before 6.0.4
  • 5.2 before 5.2.13
  • 4.2 before 4.2.30

当前版本: 3:4.2.27-2 (受影响)
修复版本: 3:4.2.27-2deepin1

修复内容

  • ASGIRequest 现在忽略包含下划线的 headers,防止通过下划线和连字符的歧义进行欺骗
  • 更新测试用例验证修复

上游修复

django/django@4412731

Debian Bug

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132927

测试: quilt push/pop 验证通过

@deepin-ci-robot
Fix CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
050a126 
ASGIRequest now ignores headers containing underscores to prevent spoofing
via ambiguity between underscores and hyphens.

Upstream: django/django@4412731

CVE: CVE-2026-3902
@deepin-ci-robot
Copy link
Copy Markdown
Contributor Author

deepin-ci-robot commented Apr 15, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign qaqland for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deepin-ci-robot deepin-ci-robot merged commit c0b0b5e into master Apr 15, 2026
4 of 10 checks passed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026

TAG Bot

TAG: 3%4.2.27-2deepin1
EXISTED: no
DISTRIBUTION: unstable

@deepin-community-ci-bot deepin-community-ci-bot Bot mentioned this pull request Apr 15, 2026
Open
deepin-ci-robot pushed a commit that referenced this pull request Apr 16, 2026
@hudeng-go
Revert "Merge PR #5: Fix CVE-2026-3902"
a3a015e 
This reverts commit c0b0b5e.
@deepin-ci-robot deepin-ci-robot mentioned this pull request Apr 16, 2026
Merged
hudeng-go added a commit that referenced this pull request Apr 16, 2026
@hudeng-go
Revert "Merge PR #5: Fix CVE-2026-3902"
90813f8 
This reverts commit c0b0b5e.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenchongbiao chenchongbiao Awaiting requested review from chenchongbiao

@justforlxz justforlxz Awaiting requested review from justforlxz

Assignees

No one assigned

Labels

cve generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deepin-ci-robot @UTsweetyfish