VuXML ID | Description |
050eba46-7638-11ed-820d-080027d3a315 | Python -- multiple vulnerabilities
Python reports:
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-28 Entry 2022-12-07 python37
< 3.7.16
python38
< 3.8.16
python39
< 3.9.16
python310
< 3.10.9
python311
< 3.11.1
https://docs.python.org/3/whatsnew/changelog.html#changelog
|
d86becfe-05a4-11ee-9d4a-080027eda32c | Python -- multiple vulnerabilities
Python reports:
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
argument that allows limiting tar features than may be surprising or dangerous, such as creating
files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
Discovery 2022-06-08 Entry 2023-06-08 python37
< 3.7.17
python38
< 3.8.17
python39
< 3.9.17
python310
< 3.10.12
python311
< 3.11.4
CVE-2022-4303
CVE-2023-2650
CVE-2023-0286
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
CVE-2023-24329
https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html
|
80e057e7-2f0a-11ed-978f-fcaa147e860e | Python -- multiple vulnerabilities
Python reports:
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
Discovery 2020-03-20 Entry 2022-09-08 python37
< 3.7.14
python38
< 3.8.14
python39
< 3.9.14
python310
< 3.10.7
CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog
|
bffa40db-ad50-11eb-86b8-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.Following the controlling specification
for URLs defined by WHATWG urllib.parse() now removes A SCII newlines
and tabs from URLs, preventing such attacks.
bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the _xxsubinterpreters
module.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function socket.inet_aton()
treats leading zeros as octal notatation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has
quadratic worst-case complexity and it allows cause a denial of service
when identifying crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
Discovery 2021-03-08 Entry 2021-05-05 python38
< 3.8.10
python39
< 3.9.5
https://docs.python.org/3/whatsnew/changelog.html#changelog
https://docs.python.org/3.8/whatsnew/changelog.html#changelog
|
7d7221ee-d334-11ea-bc50-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for
bpo-29778 (CVE-2020-15801).
bpo-39603: Prevent http header injection by rejecting control characters in
http.client.putreques().
Discovery 2020-02-11 Entry 2020-07-31 python38
< 3.8.5
https://docs.python.org/3/whatsnew/changelog.html#python-3-8-5-final
CVE-2020-15801
|
d6d088c9-5064-11ed-bade-080027881239 | Python -- multiple vulnerabilities
Python reports:
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-29 Entry 2022-10-20 python37
< 3.7.15
python38
< 3.8.15
python39
< 3.9.15
python310
< 3.10.8
https://docs.python.org/release/3.9.15/whatsnew/changelog.html
|
a9eeb3a3-ca5e-11ea-930b-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-41162:Audit hooks are now cleared later during finalization to avoid missing
events.
bpo-29778:Ensure python3.dll is loaded from correct locations when Python is
embedded.
Discovery 2020-06-29 Entry 2020-07-20 python38
< 3.8.4
https://docs.python.org/3/whatsnew/changelog.html#python-3-8-4-final
CVE-2020-15523
|
a57472ba-4d84-11ee-bf05-000c29de725b | Python -- multiple vulnerabilities
Python reports:
gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable
to a bypass of the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were post-handshake
TLS encrypted data.
Discovery 2023-08-22 Entry 2023-09-07 python38
< 3.8.18
python39
< 3.9.18
python310
< 3.10.13
python311
< 3.11.5
CVE-2023-40217
https://pythoninsider.blogspot.com/2023/08/python-3115-31013-3918-and-3818-is-now.html
|
145ce848-1165-11ec-ac7e-08002789875b | Python -- multiple vulnerabilities
Python reports:
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid
a potential race condition.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address
strings. Leading zeros are ambiguous and interpreted as octal notation by some
libraries. For example the legacy function socket.inet_aton() treats leading
zeros as octal notation. glibc implementation of modern inet_pton() does not
accept any leading zeros. For a while the ipaddress module used to accept ambiguous
leading zeros.
Discovery 2021-08-30 Entry 2021-09-09 python38
< 3.8.12
https://docs.python.org/3.8/whatsnew/changelog.html#changelog
|
f671c282-95ef-11eb-9c34-080027f515ea | python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem
David Schwörer reports:
Remove the getfile feature of the pydoc module which could be
abused to read arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords.
Discovery 2021-01-21 Entry 2021-04-10 python38
< 3.8.9
python39
< 3.9.3
CVE-2021-3426
https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html
https://bugs.python.org/issue42988
|