FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2026-02-11 07:54:38 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
bfe9adc8-0224-11f1-8790-c5fb948922ad	python -- several security vulnerabilities The Python project announces a new release with several security fixes: CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. gh-143925: Reject control characters in data: URL media types. gh-143919: Reject control characters in http.cookies.Morsel fields and values. CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. Discovery 2026-01-16 Entry 2026-02-04 python310 >= 0 python311 < 3.11.14_2 python312 >= 0 python313 < 3.13.12 python313t < 3.13.12 python314 < 3.14.3 CVE-2026-1299 CVE-2026-0865 https://docs.python.org/release/3.14.3/whatsnew/changelog.html

VuXML ID

Description

bfe9adc8-0224-11f1-8790-c5fb948922ad

python -- several security vulnerabilities

The Python project announces a new release with several security fixes:

CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).

gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.

gh-143925: Reject control characters in data: URL media types.

gh-143919: Reject control characters in http.cookies.Morsel fields and values.

CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.

Discovery 2026-01-16
Entry 2026-02-04
python310

>= 0

python311

< 3.11.14_2

python312

>= 0

python313

< 3.13.12

python313t

< 3.13.12

python314

< 3.14.3

CVE-2026-1299
CVE-2026-0865
https://docs.python.org/release/3.14.3/whatsnew/changelog.html