diff options
| author | Wen Heping <wen@FreeBSD.org> | 2021-05-05 03:39:35 +0000 |
|---|---|---|
| committer | Wen Heping <wen@FreeBSD.org> | 2021-05-05 03:39:35 +0000 |
| commit | 1388ee6c4cbebc0c6285ce0973a2e5be0632855e (patch) | |
| tree | 5ec454c3a405eac56609f5280da499efbccc887c | |
| parent | 5b52326dab02c381ce7a720012643c9c31b319b7 (diff) | |
Document Python's multiple vulnerabilities
| -rw-r--r-- | security/vuxml/vuln.xml | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 1fcad1d5d7cb..58148d849b7b 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,58 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="bffa40db-ad50-11eb-86b8-080027846a02"> + <topic>Python -- multiple vulnerabilities</topic> + <affects> + <package> + <name>python38</name> + <range><lt>3.8.10</lt></range> + </package> + <package> + <name>python39</name> + <range><lt>3.9.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Python reports:</p> + <blockquote cite="https://docs.python.org/3/whatsnew/changelog.html#changelog"> + <p>bpo-43434: Creating a sqlite3.Connection object now also produces a + sqlite3.connect auditing event. Previously this event was only produced + by sqlite3.connect() calls. Patch by Erlend E. Aasland.</p> + <p>bpo-43882: The presence of newline or tab characters in parts of a URL + could allow some forms of attacks.Following the controlling specification + for URLs defined by WHATWG urllib.parse() now removes A SCII newlines + and tabs from URLs, preventing such attacks.</p> + <p>bpo-43472: Ensures interpreter-level audit hooks receive the cpython. + PyInterpreterState_New event when called through the _xxsubinterpreters + module.</p> + <p>bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 + address strings. Leading zeros are ambiguous and interpreted as octal + notation by some libraries. For example the legacy function socket.inet_aton() + treats leading zeros as octal notatation. glibc implementation of modern + inet_pton() does not accept any leading zeros. For a while the ipaddress + module used to accept ambiguous leading zeros.</p> + <p>bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability + in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has + quadratic worst-case complexity and it allows cause a denial of service + when identifying crafted invalid RFCs. This ReDoS issue is on the client + side and needs remote attackers to control the HTTP server.</p> + <p>bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, + and generator code/frame attribute access.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.python.org/3/whatsnew/changelog.html#changelog</url> + <url>https://docs.python.org/3.8/whatsnew/changelog.html#changelog</url> + </references> + <dates> + <discovery>2021-03-08</discovery> + <entry>2021-05-05</entry> + </dates> + </vuln> + <vuln vid="1606b03b-ac57-11eb-9bdd-8c164567ca3c"> <topic>redis -- multiple vulnerabilities</topic> <affects> |