Hello 3.10 maintainers,
Was the security fix for CVE-2026-1502 (gh-146211, "Reject CR/LF in HTTP tunnel request headers") intentionally not yet ported to the 3.10 branch, or did it slip through?
Quick reference:
Since 3.10 is in security-fix-only mode and still receives security backports (latest commit on the branch is from 2026-04-13), this looks like an unbackported security fix rather than an EOL'd branch. Apologies if I've missed an in-flight cherry-pick — happy to close this if a backport PR is already queued.
Reporting in good faith from a port-credit / unbackported-CVE scan. No public PoC is being shared in this issue.
Hello 3.10 maintainers,
Was the security fix for CVE-2026-1502 (gh-146211, "Reject CR/LF in HTTP tunnel request headers") intentionally not yet ported to the
3.10branch, or did it slip through?Quick reference:
05ed7ce7ae— HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF #146211: Reject CR/LF in HTTP tunnel request headers (gh-146211: Reject CR/LF in HTTP tunnel request headers #146212)Lib/http/client.py,Lib/test/test_httplib.pygit log 3.10 --grep='146211'returns no match (last 100 commits scanned via API).Since
3.10is in security-fix-only mode and still receives security backports (latest commit on the branch is from 2026-04-13), this looks like an unbackported security fix rather than an EOL'd branch. Apologies if I've missed an in-flight cherry-pick — happy to close this if a backport PR is already queued.Reporting in good faith from a port-credit / unbackported-CVE scan. No public PoC is being shared in this issue.