VuXML ID | Description |
d86becfe-05a4-11ee-9d4a-080027eda32c | Python -- multiple vulnerabilities
Python reports:
gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes produced by
http.client.SimpleHTTPRequestHandler.
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
shell=True.
gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
argument that allows limiting tar features than may be surprising or dangerous, such as creating
files outside the destination directory.
gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
acquire the runtime head lock.
gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
threading.local.
Discovery 2022-06-08 Entry 2023-06-08 python37
< 3.7.17
python38
< 3.8.17
python39
< 3.9.17
python310
< 3.10.12
python311
< 3.11.4
CVE-2022-4303
CVE-2023-2650
CVE-2023-0286
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
CVE-2023-24329
https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html
|
3fcb70a4-e22d-11ea-98b2-080027846a02 | Python -- multiple vulnerabilities
Python reports:
bpo-29778: Ensure python3.dll is loaded from correct locations when
Python is embedded (CVE-2020-15523).
bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface
and ipaddress.IPv6Interface incorrectly generated constant hash values
of 32 and 128 respectively. This resulted in always causing hash collisions.
The fix uses hash() to generate hash values for the tuple of (address, mask
length, network address).
bpo-39603: Prevent http header injection by rejecting control characters
in http.client.putrequest(...).
Discovery 2020-06-17 Entry 2020-08-19 python37
< 3.7.9
python36
< 3.6.12
https://docs.python.org/release/3.7.9/whatsnew/changelog.html#changelog
https://docs.python.org/release/3.6.12/whatsnew/changelog.html#changelog
CVE-2020-14422
CVE-2020-15523
|
a449c604-a43a-11e9-b422-fcaa147e860e | python 3.7 -- multiple vulnerabilities
Python changelog:
bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text
after the address and only quad-dotted notation without trailing whitespaces. Some
inet_aton() implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1
whatever'.
bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and
local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of
urllib.request.
bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().
bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace
or control characters through into the underlying http client request. Such potentially
malicious header injection URLs now cause an http.client.InvalidURL exception to be
raised.
bpo-33529: Prevent fold function used in email header encoding from entering infinite
loop when there are too many non-ASCII characters in a header.
bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and if the PATH
environment variable is not set. Remove also the current directory from posixpath.defpath.
On Unix, shutil.which() and the subprocess module no longer search the executable in the
current directory if the PATH environment variable is not set.
Discovery 2019-03-13 Entry 2019-07-12 python37
< 3.7.4
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final
CVE-2019-9740
CVE-2019-9948
|
d74371d2-4fee-11e9-a5cd-1df8a848de3d | Python -- NULL pointer dereference vulnerability
Python Changelog:
bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The
cert parser did not handle CRL distribution points with empty DP or URI
correctly. A malicious or buggy certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet
of Cisco.
Discovery 2019-01-15 Entry 2019-03-26 Modified 2019-03-27 python27
< 2.7.16
python35
< 3.5.7
python36
< 3.6.8_1
python37
< 3.7.3
https://docs.python.org/3.7/whatsnew/changelog.html
https://bugs.python.org/issue35746
CVE-2019-5010
|
a27b0bb6-84fc-11ea-b5b4-641c67a117d8 | Python -- Regular Expression DoS attack against client
Ben Caller and Matt Schwager reports:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.
Discovery 2019-11-17 Entry 2020-04-23 Modified 2020-06-13 python38
< 3.8.3
python37
<= 3.7.7
python36
< 3.6.10
python35
<= 3.5.9_4
python27
< 2.7.18
https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
CVE-2020-8492
ports/245819
|
9b7491fb-f253-11e9-a50c-000c29c4dc65 | python 3.7 -- multiple vulnerabilities
Python changelog:
bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering
the document page as HTML.
bpo-38174: Update vendorized expat library version to 2.2.8, which resolves
CVE-2019-15903.
bpo-37764: Fixes email._header_value_parser.get_unstructured going into an infinite
loop for a specific case in which the email header does not have trailing whitespace,
and the case in which it contains an invalid encoded word.
bpo-37461: Fix an infinite loop when parsing specially crafted email headers.
bpo-34155: Fix parsing of invalid email addresses with more than one @
(e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address.
Discovery 2019-09-14 Entry 2019-10-19 python37
< 3.7.5
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-5-final
CVE-2019-15903
|
050eba46-7638-11ed-820d-080027d3a315 | Python -- multiple vulnerabilities
Python reports:
gh-100001: python -m http.server no longer allows terminal control characters sent
within a garbage request to be printed to the stderr server log.
This is done by changing the http.server BaseHTTPRequestHandler .log_message method
to replace control characters with a \xHH hex escape before printing.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
name resolution functions no longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a name.
gh-98739: Update bundled libexpat to 2.5.0.
gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
script. The script no longer uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-28 Entry 2022-12-07 python37
< 3.7.16
python38
< 3.8.16
python39
< 3.9.16
python310
< 3.10.9
python311
< 3.11.1
https://docs.python.org/3/whatsnew/changelog.html#changelog
|
80e057e7-2f0a-11ed-978f-fcaa147e860e | Python -- multiple vulnerabilities
Python reports:
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal),
16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number
of digits in string form is above a limit to avoid potential denial of service attacks
due to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when
an URI path starts with //. Vulnerability discovered, and initial fix proposed, by
Hamza Avvan.
Discovery 2020-03-20 Entry 2022-09-08 python37
< 3.7.14
python38
< 3.8.14
python39
< 3.9.14
python310
< 3.10.7
CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog
|
0e561173-0fa9-11ec-a2fa-080027948c12 | Python -- multiple vulnerabilities
Python reports:
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the
fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used
on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
Discovery 2021-08-30 Entry 2021-09-07 python36
< 3.6.15
python37
< 3.7.12
https://docs.python.org/3.6/whatsnew/changelog.html#changelog
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
|
d6d088c9-5064-11ed-bade-080027881239 | Python -- multiple vulnerabilities
Python reports:
gh-97616: Fix multiplying a list by an integer (list *= int): detect
the integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses
a shell to run openssl commands. Issue reported and initial fix by
Caleb Shortt. Patch by Victor Stinner.
Discovery 2022-09-29 Entry 2022-10-20 python37
< 3.7.15
python38
< 3.8.15
python39
< 3.9.15
python310
< 3.10.8
https://docs.python.org/release/3.9.15/whatsnew/changelog.html
|
33c05d57-bf6e-11ea-ba1e-0800273f78d3 | Python -- multiple vulnerabilities
Python reports:
The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient
regular expression which can be exploited by an attacker to cause a denial of service.
Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348.
Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header
injection attacks.
Discovery 2019-10-24 Entry 2020-07-06 python37
< 3.7.8
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
CVE-2019-18348
CVE-2020-8492
|
ca595a25-91d8-11ea-b470-080027846a02 | Python -- CRLF injection via the host part of the url passed to urlopen()
Python reports:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x
through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as
demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in
the host component of a URL) followed by an HTTP header.
Discovery 2019-10-24 Entry 2020-05-09 Modified 2020-06-13 python27
< 2.7.18
python38
< 3.8.3
python37
<= 3.7.7
python36
< 3.6.10
python35
<= 3.5.9_4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
https://bugs.python.org/issue38576
CVE-2019-18348
|