diff options
author | Wen Heping <wen@FreeBSD.org> | 2022-12-07 14:25:15 +0000 |
---|---|---|
committer | Wen Heping <wen@FreeBSD.org> | 2022-12-07 14:25:15 +0000 |
commit | 8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4 (patch) | |
tree | bc45bfa6faed091a83612a6d0f7516cb4d1a087d | |
parent | 0a6ca5e458852c41ce57a0238fcaa641ffd7cd6f (diff) | |
download | ports-8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4.tar.gz ports-8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4.zip |
security/vuxml: Document python-3.11 vulnerabilities
-rw-r--r-- | security/vuxml/vuln/2022.xml | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml index 8a25f8c107f1..24f753c04b47 100644 --- a/security/vuxml/vuln/2022.xml +++ b/security/vuxml/vuln/2022.xml @@ -1,3 +1,41 @@ + <vuln vid="050eba46-7638-11ed-820d-080027d3a315"> + <topic>Python -- multiple vulnerabilities</topic> + <affects> + <package> + <name>python311</name> + <range><lt>3.11.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Python reports:</p> + <blockquote cite="https://docs.python.org/3/whatsnew/changelog.html#changelog"> + <p>gh-100001: python -m http.server no longer allows terminal control characters sent + within a garbage request to be printed to the stderr server log. + This is done by changing the http.server BaseHTTPRequestHandler .log_message method + to replace control characters with a \xHH hex escape before printing.</p> + <p>gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.</p> + <p>gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related + name resolution functions no longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive length hostname involving + bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a name.</p> + <p>gh-98739: Update bundled libexpat to 2.5.0.</p> + <p>gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example + script. The script no longer uses a shell to run openssl commands. Issue reported and + initial fix by Caleb Shortt. Patch by Victor Stinner.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.python.org/3/whatsnew/changelog.html#changelog</url> + </references> + <dates> + <discovery>2022-09-28</discovery> + <entry>2022-12-07</entry> + </dates> + </vuln> + <vuln vid="6f5192f5-75a7-11ed-83c0-411d43ce7fe4"> <topic>go -- multiple vulnerabilities</topic> <affects> |