Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2026-0865: User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-0672: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2025-6075: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-15282: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-11468: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
2.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.162.7.18-1.amzn2.0.16