FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
032643d7-0ba7-11ec-a689-080027e50e6d	Python -- multiple vulnerabilities Python reports: bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition. bpo-41180: Add auditing events to the marshal module, and stop raising code.__init__ events for every unmarshalled code object. Directly instantiated code objects will continue to raise an event, and audit event handlers should inspect or collect the raw marshal data. This reduces a significant performance overhead when loading from .pyc files. bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS. bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection. Discovery 2021-08-30 Entry 2021-09-02 python39 < 3.9.7 https://docs.python.org/release/3.9.7/whatsnew/changelog.html
f671c282-95ef-11eb-9c34-080027f515ea	python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem David SchwÃÂ¶rer reports: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Discovery 2021-01-21 Entry 2021-04-10 python38 < 3.8.9 python39 < 3.9.3 CVE-2021-3426 https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html https://bugs.python.org/issue42988
bffa40db-ad50-11eb-86b8-080027846a02	Python -- multiple vulnerabilities Python reports: bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland. bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks. bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module. bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros. bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access. Discovery 2021-03-08 Entry 2021-05-05 python38 < 3.8.10 python39 < 3.9.5 https://docs.python.org/3/whatsnew/changelog.html#changelog https://docs.python.org/3.8/whatsnew/changelog.html#changelog

VuXML ID

Description

032643d7-0ba7-11ec-a689-080027e50e6d

Python -- multiple vulnerabilities

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-41180: Add auditing events to the marshal module, and stop raising code.__init__ events for every unmarshalled code object. Directly instantiated code objects will continue to raise an event, and audit event handlers should inspect or collect the raw marshal data. This reduces a significant performance overhead when loading from .pyc files.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

Discovery 2021-08-30
Entry 2021-09-02
python39

< 3.9.7

https://docs.python.org/release/3.9.7/whatsnew/changelog.html

f671c282-95ef-11eb-9c34-080027f515ea

python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

David SchwÃÂ¶rer reports:

Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.

Discovery 2021-01-21
Entry 2021-04-10
python38

< 3.8.9

python39

< 3.9.3

CVE-2021-3426
https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html
https://bugs.python.org/issue42988

bffa40db-ad50-11eb-86b8-080027846a02

Python -- multiple vulnerabilities

Python reports:

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

Discovery 2021-03-08
Entry 2021-05-05
python38

< 3.8.10

python39

< 3.9.5

https://docs.python.org/3/whatsnew/changelog.html#changelog
https://docs.python.org/3.8/whatsnew/changelog.html#changelog