FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d74371d2-4fee-11e9-a5cd-1df8a848de3dPython -- NULL pointer dereference vulnerability

Python Changelog:

bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.


Discovery 2019-01-15
Entry 2019-03-26
Modified 2019-03-27
python27
lt 2.7.16

python35
lt 3.5.7

python36
lt 3.6.8_1

python37
lt 3.7.3

https://docs.python.org/3.7/whatsnew/changelog.html
https://bugs.python.org/issue35746
CVE-2019-5010
a27b0bb6-84fc-11ea-b5b4-641c67a117d8Python -- Regular Expression DoS attack against client

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.


Discovery 2019-11-17
Entry 2020-04-23
Modified 2020-06-13
python38
lt 3.8.3

python37
le 3.7.7

python36
lt 3.6.10

python35
le 3.5.9_4

python27
lt 2.7.18

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://bugs.python.org/issue39503
CVE-2020-8492
ports/245819
ca595a25-91d8-11ea-b470-080027846a02Python -- CRLF injection via the host part of the url passed to urlopen()

Python reports:

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header.


Discovery 2019-10-24
Entry 2020-05-09
Modified 2020-06-13
python27
lt 2.7.18

python38
lt 3.8.3

python37
le 3.7.7

python36
lt 3.6.10

python35
le 3.5.9_4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348
https://bugs.python.org/issue38576
CVE-2019-18348
8719b935-8bae-41ad-92ba-3c826f651219python 2.7 -- multiple vulnerabilities

python release notes:

Multiple vulnerabilities has been fixed in this release. Please refer to the CVE list for details.


Discovery 2018-05-01
Entry 2018-05-05
python27
lt 2.7.15

https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15rc1.rst
https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.15.rst
CVE-2012-0876
CVE-2016-0718
CVE-2016-4472
CVE-2016-9063
CVE-2017-9233
CVE-2018-1060
CVE-2018-1061
9164f51e-ae20-11e7-a633-009c02a2ab30Python 2.7 -- multiple vulnerabilities

Python reports:

Multiple vulnerabilities have been fixed in Python 2.7.14. Please refer to the CVE list for details.


Discovery 2017-08-26
Entry 2017-10-11
python27
lt 2.7.14

https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS
CVE-2012-0876
CVE-2016-0718
CVE-2016-4472
CVE-2016-5300
CVE-2016-9063
CVE-2017-9233