FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
050eba46-7638-11ed-820d-080027d3a315	Python -- multiple vulnerabilities Python reports: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module. gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. gh-98739: Update bundled libexpat to 2.5.0. gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. Discovery 2022-09-28 Entry 2022-12-07 python37 < 3.7.16 python38 < 3.8.16 python39 < 3.9.16 python310 < 3.10.9 python311 < 3.11.1 https://docs.python.org/3/whatsnew/changelog.html#changelog

VuXML ID

Description

050eba46-7638-11ed-820d-080027d3a315

Python -- multiple vulnerabilities

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

Discovery 2022-09-28
Entry 2022-12-07
python37

< 3.7.16

python38

< 3.8.16

python39

< 3.9.16

python310

< 3.10.9

python311

< 3.11.1

https://docs.python.org/3/whatsnew/changelog.html#changelog