Date: Mon, 8 Jul 2019 23:54:58 +0000 (UTC) From: Wen Heping <wen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r506255 - head/security/vuxml Message-ID: <201907082354.x68NswTG013463@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wen Date: Mon Jul 8 23:54:58 2019 New Revision: 506255 URL: https://svnweb.freebsd.org/changeset/ports/506255 Log: - Document python 3.6 multiple vulnerabilities PR: 238952 Submitted by: wenheping2000@hotmail.com(myself) Reviewed by: koobs@ Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jul 8 23:45:43 2019 (r506254) +++ head/security/vuxml/vuln.xml Mon Jul 8 23:54:58 2019 (r506255) @@ -58,6 +58,50 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="18ed9650-a1d6-11e9-9b17-fcaa147e860e"> + <topic>python 3.6 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>python36</name> + <range><lt>3.6.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Python changelog:</p> + <blockquote cite="https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-final">; + <p>bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// + and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() + of urllib.request.</p> + <p>bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().</p> + <p>bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded + whitespace or control characters through into the underlying http client + request. Such potentially malicious header injection URLs now cause an + http.client.InvalidURL exception to be raised.</p> + <p>bpo-36216: Changes urlsplit() to raise ValueError when the URL contains + characters that decompose under IDNA encoding (NFKC-normalization) into + characters that affect how the URL is parsed.</p> + <p>bpo-33529: Prevent fold function used in email header encoding from + entering infinite loop when there are too many non-ASCII characters in + a header.</p> + <p>bpo-35121: Don't send cookies of domain A without Domain attribute to + domain B when domain A is a suffix match of domain B while using a cookiejar + with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan + Singaravelan.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-final</url>; + <cvename>CVE-2019-9948</cvename> + <cvename>CVE-2019-9740</cvename> + </references> + <dates> + <discovery>2019-03-13</discovery> + <entry>2019-07-08</entry> + </dates> + </vuln> + <vuln vid="3dd46e05-9fb0-11e9-bf65-00012e582166"> <topic>webkit2-gtk3 -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907082354.x68NswTG013463>