Date: Wed, 7 Dec 2022 14:26:38 GMT From: Wen Heping <wen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 8626b3d3114f - main - security/vuxml: Document python-3.11 vulnerabilities Message-ID: <202212071426.2B7EQcMO056698@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by wen: URL: https://cgit.FreeBSD.org/ports/commit/?id=8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4 commit 8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4 Author: Wen Heping <wen@FreeBSD.org> AuthorDate: 2022-12-07 14:25:15 +0000 Commit: Wen Heping <wen@FreeBSD.org> CommitDate: 2022-12-07 14:25:15 +0000 security/vuxml: Document python-3.11 vulnerabilities --- security/vuxml/vuln/2022.xml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml index 8a25f8c107f1..24f753c04b47 100644 --- a/security/vuxml/vuln/2022.xml +++ b/security/vuxml/vuln/2022.xml @@ -1,3 +1,41 @@ + <vuln vid="050eba46-7638-11ed-820d-080027d3a315"> + <topic>Python -- multiple vulnerabilities</topic> + <affects> + <package> + <name>python311</name> + <range><lt>3.11.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Python reports:</p> + <blockquote cite="https://docs.python.org/3/whatsnew/changelog.html#changelog">; + <p>gh-100001: python -m http.server no longer allows terminal control characters sent + within a garbage request to be printed to the stderr server log. + This is done by changing the http.server BaseHTTPRequestHandler .log_message method + to replace control characters with a \xHH hex escape before printing.</p> + <p>gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.</p> + <p>gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related + name resolution functions no longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive length hostname involving + bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a name.</p> + <p>gh-98739: Update bundled libexpat to 2.5.0.</p> + <p>gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example + script. The script no longer uses a shell to run openssl commands. Issue reported and + initial fix by Caleb Shortt. Patch by Victor Stinner.</p> + </blockquote> + </body> + </description> + <references> + <url>https://docs.python.org/3/whatsnew/changelog.html#changelog</url>; + </references> + <dates> + <discovery>2022-09-28</discovery> + <entry>2022-12-07</entry> + </dates> + </vuln> + <vuln vid="6f5192f5-75a7-11ed-83c0-411d43ce7fe4"> <topic>go -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202212071426.2B7EQcMO056698>