FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
050eba46-7638-11ed-820d-080027d3a315Python -- multiple vulnerabilities

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-28
Entry 2022-12-07
python37
< 3.7.16

python38
< 3.8.16

python39
< 3.9.16

python310
< 3.10.9

python311
< 3.11.1

https://docs.python.org/3/whatsnew/changelog.html#changelog
145ce848-1165-11ec-ac7e-08002789875bPython -- multiple vulnerabilities

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.


Discovery 2021-08-30
Entry 2021-09-09
python38
< 3.8.12

https://docs.python.org/3.8/whatsnew/changelog.html#changelog
80e057e7-2f0a-11ed-978f-fcaa147e860ePython -- multiple vulnerabilities

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.


Discovery 2020-03-20
Entry 2022-09-08
python37
< 3.7.14

python38
< 3.8.14

python39
< 3.9.14

python310
< 3.10.7

CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog
d6d088c9-5064-11ed-bade-080027881239Python -- multiple vulnerabilities

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-29
Entry 2022-10-20
python37
< 3.7.15

python38
< 3.8.15

python39
< 3.9.15

python310
< 3.10.8

https://docs.python.org/release/3.9.15/whatsnew/changelog.html