FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
145ce848-1165-11ec-ac7e-08002789875bPython -- multiple vulnerabilities

Python reports:

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.


Discovery 2021-08-30
Entry 2021-09-09
python38
< 3.8.12

https://docs.python.org/3.8/whatsnew/changelog.html#changelog
f671c282-95ef-11eb-9c34-080027f515eapython -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

David Schwörer reports:

Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.


Discovery 2021-01-21
Entry 2021-04-10
python38
< 3.8.9

python39
< 3.9.3

CVE-2021-3426
https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html
https://bugs.python.org/issue42988
050eba46-7638-11ed-820d-080027d3a315Python -- multiple vulnerabilities

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-28
Entry 2022-12-07
python37
< 3.7.16

python38
< 3.8.16

python39
< 3.9.16

python310
< 3.10.9

python311
< 3.11.1

https://docs.python.org/3/whatsnew/changelog.html#changelog
d6d088c9-5064-11ed-bade-080027881239Python -- multiple vulnerabilities

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-29
Entry 2022-10-20
python37
< 3.7.15

python38
< 3.8.15

python39
< 3.9.15

python310
< 3.10.8

https://docs.python.org/release/3.9.15/whatsnew/changelog.html
bffa40db-ad50-11eb-86b8-080027846a02Python -- multiple vulnerabilities

Python reports:

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.


Discovery 2021-03-08
Entry 2021-05-05
python38
< 3.8.10

python39
< 3.9.5

https://docs.python.org/3/whatsnew/changelog.html#changelog
https://docs.python.org/3.8/whatsnew/changelog.html#changelog
80e057e7-2f0a-11ed-978f-fcaa147e860ePython -- multiple vulnerabilities

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.


Discovery 2020-03-20
Entry 2022-09-08
python37
< 3.7.14

python38
< 3.8.14

python39
< 3.9.14

python310
< 3.10.7

CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog