FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ca595a25-91d8-11ea-b470-080027846a02Python -- CRLF injection via the host part of the url passed to urlopen()

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.


Discovery 2019-10-24
Entry 2020-05-09
Modified 2020-06-13
python27
< 2.7.18

python38
< 3.8.3

python37
le 3.7.7

python36
< 3.6.10

python35
le 3.5.9_4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
https://bugs.python.org/issue38576
CVE-2019-18348
3fcb70a4-e22d-11ea-98b2-080027846a02Python -- multiple vulnerabilities

Python reports:

bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

bpo-41004: CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(...).


Discovery 2020-06-17
Entry 2020-08-19
python37
< 3.7.9

python36
< 3.6.12

https://docs.python.org/release/3.7.9/whatsnew/changelog.html#changelog
https://docs.python.org/release/3.6.12/whatsnew/changelog.html#changelog
CVE-2020-14422
CVE-2020-15523
0e561173-0fa9-11ec-a2fa-080027948c12Python -- multiple vulnerabilities

Python reports:

bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 "Billion Laughs" vulnerability. This copy is most used on Windows and macOS.

bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.


Discovery 2021-08-30
Entry 2021-09-07
python36
< 3.6.15

python37
< 3.7.12

https://docs.python.org/3.6/whatsnew/changelog.html#changelog
https://docs.python.org/3.7/whatsnew/changelog.html#changelog
d6d088c9-5064-11ed-bade-080027881239Python -- multiple vulnerabilities

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-29
Entry 2022-10-20
python37
< 3.7.15

python38
< 3.8.15

python39
< 3.9.15

python310
< 3.10.8

https://docs.python.org/release/3.9.15/whatsnew/changelog.html
a27b0bb6-84fc-11ea-b5b4-641c67a117d8Python -- Regular Expression DoS attack against client

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.


Discovery 2019-11-17
Entry 2020-04-23
Modified 2020-06-13
python38
< 3.8.3

python37
le 3.7.7

python36
< 3.6.10

python35
le 3.5.9_4

python27
< 2.7.18

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
CVE-2020-8492
ports/245819
050eba46-7638-11ed-820d-080027d3a315Python -- multiple vulnerabilities

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.


Discovery 2022-09-28
Entry 2022-12-07
python37
< 3.7.16

python38
< 3.8.16

python39
< 3.9.16

python310
< 3.10.9

python311
< 3.11.1

https://docs.python.org/3/whatsnew/changelog.html#changelog
80e057e7-2f0a-11ed-978f-fcaa147e860ePython -- multiple vulnerabilities

Python reports:

gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity.

gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.


Discovery 2020-03-20
Entry 2022-09-08
python37
< 3.7.14

python38
< 3.8.14

python39
< 3.9.14

python310
< 3.10.7

CVE-2020-10735
https://docs.python.org/release/3.7.14/whatsnew/changelog.html#changelog
33c05d57-bf6e-11ea-ba1e-0800273f78d3Python -- multiple vulnerabilities

Python reports:

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.


Discovery 2019-10-24
Entry 2020-07-06
python37
< 3.7.8

https://docs.python.org/3.7/whatsnew/changelog.html#changelog
CVE-2019-18348
CVE-2020-8492