Date: Sun, 12 Apr 2026 18:36:46 +0000 From: Daniel Engberg <diizzy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Matthias Andree <mandree@FreeBSD.org> Subject: git: 8575855cbba0 - main - security/vuxml: Add entries for Python CVE-2026-1502 and gh-146333 Message-ID: <69dbe63e.3af47.4aaaa24b@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=8575855cbba0c7b933aaa7edd1825937b97efad8 commit 8575855cbba0c7b933aaa7edd1825937b97efad8 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-12 18:17:06 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-12 18:35:01 +0000 security/vuxml: Add entries for Python CVE-2026-1502 and gh-146333 PR: 294324 Security: CVE-2026-1502 / 30bda1c3-369b-11f1-b51c-6dd25bec137b Security: 5ec4dcf6-3588-11f1-b51c-6dd25bec137b --- security/vuxml/vuln/2026.xml | 53 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 1bc2b6dde970..4597973c97f6 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,56 @@ + <vuln vid="30bda1c3-369b-11f1-b51c-6dd25bec137b"> + <topic>Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF</topic> + <affects> + <package><name>python310</name><range><ge>0</ge></range></package> + <package><name>python311</name><range><ge>0</ge></range></package> + <package><name>python312</name><range><ge>0</ge></range></package> + <package><name>python313</name><range><ge>0</ge></range></package> + <package><name>python314</name><range><lt>3.14.4</lt></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Seth Larson reports:</p> + <blockquote cite="https://github.com/python/cpython/issues/146211">; + <p>HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF (CVE-2026-1502).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-1502</cvename> + <url>https://github.com/python/cpython/issues/146211</url>; + </references> + <dates> + <discovery>2026-03-20</discovery> + <entry>2026-04-12</entry> + </dates> + </vuln> + + <vuln vid="5ec4dcf6-3588-11f1-b51c-6dd25bec137b"> + <topic>Python -- configparser vulnerable to excessive CPU use</topic> + <affects> + <package><name>python310</name><range><ge>0</ge></range></package> + <package><name>python311</name><range><ge>0</ge></range></package> + <package><name>python312</name><range><ge>0</ge></range></package> + <package><name>python313</name><range><ge>0</ge></range></package> + <package><name>python314</name><range><lt>3.14.4</lt></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Stan Ulbrych reports:</p> + <blockquote cite="https://github.com/python/cpython/issues/146333">; + <p>configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes [are] vulnerable to quadratic backtracking.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/python/cpython/issues/146333</url>; + </references> + <dates> + <discovery>2026-03-23</discovery> + <entry>2026-04-12</entry> + </dates> + </vuln> + <vuln vid="8d549898-3598-11f1-a8bc-3c7c3fba4204"> <topic>py-ormar -- vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69dbe63e.3af47.4aaaa24b>