FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1d0f6852-33d8-11e6-a671-60a44ce6887bPython -- Integer overflow in zipimport module

Python reports:

Possible integer overflow and heap corruption in zipimporter.get_data()


Discovery 2016-01-21
Entry 2016-06-17
python35
< 3.5.1_3

python34
< 3.4.4_3

python33
< 3.3.6_5

python27
< 2.7.11_3

http://bugs.python.org/issue26171
CVE-2016-5636
d74371d2-4fee-11e9-a5cd-1df8a848de3dPython -- NULL pointer dereference vulnerability

Python Changelog:

bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.


Discovery 2019-01-15
Entry 2019-03-26
Modified 2019-03-27
python27
< 2.7.16

python35
< 3.5.7

python36
< 3.6.8_1

python37
< 3.7.3

https://docs.python.org/3.7/whatsnew/changelog.html
https://bugs.python.org/issue35746
CVE-2019-5010
a61374fc-3a4d-11e6-a671-60a44ce6887bPython -- HTTP Header Injection in Python urllib

Guido Vranken reports:

HTTP header injection in urrlib2/urllib/httplib/http.client with newlines in header values, where newlines have a semantic consequence of denoting the start of an additional header line.


Discovery 2014-11-24
Entry 2016-06-30
Modified 2016-07-04
python27
< 2.7.10

python33
ge 0

python34
< 3.4.4

python35
< 3.5.0

https://bugs.python.org/issue22928
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
http://www.openwall.com/lists/oss-security/2016/06/14/7
CVE-2016-5699
9164f51e-ae20-11e7-a633-009c02a2ab30Python 2.7 -- multiple vulnerabilities

Python reports:

Multiple vulnerabilities have been fixed in Python 2.7.14. Please refer to the CVE list for details.


Discovery 2017-08-26
Entry 2017-10-11
python27
< 2.7.14

https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS
CVE-2012-0876
CVE-2016-0718
CVE-2016-4472
CVE-2016-5300
CVE-2016-9063
CVE-2017-9233
8719b935-8bae-41ad-92ba-3c826f651219python 2.7 -- multiple vulnerabilities

python release notes:

Multiple vulnerabilities has been fixed in this release. Please refer to the CVE list for details.


Discovery 2018-05-01
Entry 2018-05-05
python27
< 2.7.15

https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15rc1.rst
https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15.rst
CVE-2012-0876
CVE-2016-0718
CVE-2016-4472
CVE-2016-9063
CVE-2017-9233
CVE-2018-1060
CVE-2018-1061
8e5e6d42-a0fa-11e3-b09a-080027f2d077Python -- buffer overflow in socket.recvfrom_into()

Vincent Danen via Red Hat Issue Tracker reports:

A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code.

This vulnerable function, socket.recvfrom_into(), was introduced in Python 2.5. Earlier versions are not affected by this flaw.


Discovery 2014-01-14
Entry 2014-03-01
python27
le 2.7.6_3

python31
le 3.1.5_10

python32
le 3.2.5_7

python33
le 3.3.3_2

65379
CVE-2014-1912
https://mail.python.org/pipermail/python-dev/2014-February/132758.html
http://bugs.python.org/issue20246
https://bugzilla.redhat.com/show_bug.cgi?id=1062370
8d5368ef-40fe-11e6-b2ec-b499baebfeafPython -- smtplib StartTLS stripping vulnerability

Red Hat reports:

A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.


Discovery 2016-06-14
Entry 2016-07-03
python27
< 2.7.12

python33
gt 0

python34
< 3.4.5

python35
< 3.5.2

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772
CVE-2016-0772
b4f8be9e-56b2-11e1-9fb7-003067b2972cPython -- DoS via malformed XML-RPC / HTTP POST request

Jan Lieskovsky reports,

A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.


Discovery 2012-02-13
Entry 2012-02-14
Modified 2012-02-26
python32
le 3.2.2_2

python31
le 3.1.4_2

python27
le 2.7.2_3

python26
le 2.6.7_2

python25
le 2.5.6_2

python24
le 2.4.5_8

pypy
le 1.7

CVE-2012-0845
http://bugs.python.org/issue14001
https://bugzilla.redhat.com/show_bug.cgi?id=789790
https://bugs.pypy.org/issue1047
ca595a25-91d8-11ea-b470-080027846a02Python -- CRLF injection via the host part of the url passed to urlopen()

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.


Discovery 2019-10-24
Entry 2020-05-09
Modified 2020-06-13
python27
< 2.7.18

python38
< 3.8.3

python37
le 3.7.7

python36
< 3.6.10

python35
le 3.5.9_4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
https://bugs.python.org/issue38576
CVE-2019-18348
a27b0bb6-84fc-11ea-b5b4-641c67a117d8Python -- Regular Expression DoS attack against client

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.


Discovery 2019-11-17
Entry 2020-04-23
Modified 2020-06-13
python38
< 3.8.3

python37
le 3.7.7

python36
< 3.6.10

python35
le 3.5.9_4

python27
< 2.7.18

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
CVE-2020-8492
ports/245819