Date: Fri, 12 Jul 2019 00:36:27 +0000 (UTC) From: Wen Heping <wen@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r506428 - head/security/vuxml Message-ID: <201907120036.x6C0aRmv071975@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wen Date: Fri Jul 12 00:36:26 2019 New Revision: 506428 URL: https://svnweb.freebsd.org/changeset/ports/506428 Log: - Document python37 multiple vulnerabilities Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 11 21:58:29 2019 (r506427) +++ head/security/vuxml/vuln.xml Fri Jul 12 00:36:26 2019 (r506428) @@ -58,6 +58,50 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="a449c604-a43a-11e9-b422-fcaa147e860e"> + <topic>python 3.7 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>python37</name> + <range><lt>3.7.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Python changelog:</p> + <blockquote cite="https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final"> + <p>bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text + after the address and only quad-dotted notation without trailing whitespaces. Some + inet_aton() implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1 + whatever'.</p> + <p>bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and + local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of + urllib.request.</p> + <p>bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().</p> + <p>bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace + or control characters through into the underlying http client request. Such potentially + malicious header injection URLs now cause an http.client.InvalidURL exception to be + raised.</p> + <p>bpo-33529: Prevent fold function used in email header encoding from entering infinite + loop when there are too many non-ASCII characters in a header.</p> + <p>bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and if the PATH + environment variable is not set. Remove also the current directory from posixpath.defpath. + On Unix, shutil.which() and the subprocess module no longer search the executable in the + current directory if the PATH environment variable is not set.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final</url> + <cvename>CVE-2019-9740</cvename> + <cvename>CVE-2019-9948</cvename> + </references> + <dates> + <discovery>2019-03-13</discovery> + <entry>2019-07-12</entry> + </dates> + </vuln> + <vuln vid="0592f49f-b3b8-4260-b648-d1718762656c"> <topic>mozilla -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907120036.x6C0aRmv071975>