FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 21:13:12 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
050eba46-7638-11ed-820d-080027d3a315	Python -- multiple vulnerabilities Python reports: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module. gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. gh-98739: Update bundled libexpat to 2.5.0. gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. Discovery 2022-09-28 Entry 2022-12-07 python37 < 3.7.16 python38 < 3.8.16 python39 < 3.9.16 python310 < 3.10.9 python311 < 3.11.1 https://docs.python.org/3/whatsnew/changelog.html#changelog
d86becfe-05a4-11ee-9d4a-080027eda32c	Python -- multiple vulnerabilities Python reports: gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727). gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329. gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified. gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler. gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True. gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open(). gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock. gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local. Discovery 2022-06-08 Entry 2023-06-08 python37 < 3.7.17 python38 < 3.8.17 python39 < 3.9.17 python310 < 3.10.12 python311 < 3.11.4 CVE-2022-4303 CVE-2023-2650 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-24329 https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html
d6d088c9-5064-11ed-bade-080027881239	Python -- multiple vulnerabilities Python reports: gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner. gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. Discovery 2022-09-29 Entry 2022-10-20 python37 < 3.7.15 python38 < 3.8.15 python39 < 3.9.15 python310 < 3.10.8 https://docs.python.org/release/3.9.15/whatsnew/changelog.html

VuXML ID

Description

050eba46-7638-11ed-820d-080027d3a315

Python -- multiple vulnerabilities

Python reports:

gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.

gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

gh-98739: Update bundled libexpat to 2.5.0.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

Discovery 2022-09-28
Entry 2022-12-07
python37

< 3.7.16

python38

< 3.8.16

python39

< 3.9.16

python310

< 3.10.9

python311

< 3.11.1

https://docs.python.org/3/whatsnew/changelog.html#changelog

d86becfe-05a4-11ee-9d4a-080027eda32c

Python -- multiple vulnerabilities

Python reports:

gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).

gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.

gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.

gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.

gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True.

gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().

gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory.

gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock.

gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local.

Discovery 2022-06-08
Entry 2023-06-08
python37

< 3.7.17

python38

< 3.8.17

python39

< 3.9.17

python310

< 3.10.12

python311

< 3.11.4

CVE-2022-4303
CVE-2023-2650
CVE-2023-0286
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
CVE-2023-24329
https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html

d6d088c9-5064-11ed-bade-080027881239

Python -- multiple vulnerabilities

Python reports:

gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

Discovery 2022-09-29
Entry 2022-10-20
python37

< 3.7.15

python38

< 3.8.15

python39

< 3.9.15

python310

< 3.10.8

https://docs.python.org/release/3.9.15/whatsnew/changelog.html