git: 8626b3d3114f - main - security/vuxml: Document python-3.11 vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 07 Dec 2022 14:26:38 UTC
The branch main has been updated by wen:
URL: https://cgit.FreeBSD.org/ports/commit/?id=8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4
commit 8626b3d3114fd21d4c1153ec9cb161dfd2d5fee4
Author: Wen Heping <wen@FreeBSD.org>
AuthorDate: 2022-12-07 14:25:15 +0000
Commit: Wen Heping <wen@FreeBSD.org>
CommitDate: 2022-12-07 14:25:15 +0000
security/vuxml: Document python-3.11 vulnerabilities
---
security/vuxml/vuln/2022.xml | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml
index 8a25f8c107f1..24f753c04b47 100644
--- a/security/vuxml/vuln/2022.xml
+++ b/security/vuxml/vuln/2022.xml
@@ -1,3 +1,41 @@
+ <vuln vid="050eba46-7638-11ed-820d-080027d3a315">
+ <topic>Python -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>python311</name>
+ <range><lt>3.11.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Python reports:</p>
+ <blockquote cite="https://docs.python.org/3/whatsnew/changelog.html#changelog">
+ <p>gh-100001: python -m http.server no longer allows terminal control characters sent
+ within a garbage request to be printed to the stderr server log.
+ This is done by changing the http.server BaseHTTPRequestHandler .log_message method
+ to replace control characters with a \xHH hex escape before printing.</p>
+ <p>gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module.</p>
+ <p>gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related
+ name resolution functions no longer involves a quadratic algorithm. This prevents a
+ potential CPU denial of service if an out-of-spec excessive length hostname involving
+ bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects
+ potentially allow for an attacker to supply such a name.</p>
+ <p>gh-98739: Update bundled libexpat to 2.5.0.</p>
+ <p>gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example
+ script. The script no longer uses a shell to run openssl commands. Issue reported and
+ initial fix by Caleb Shortt. Patch by Victor Stinner.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://docs.python.org/3/whatsnew/changelog.html#changelog</url>
+ </references>
+ <dates>
+ <discovery>2022-09-28</discovery>
+ <entry>2022-12-07</entry>
+ </dates>
+ </vuln>
+
<vuln vid="6f5192f5-75a7-11ed-83c0-411d43ce7fe4">
<topic>go -- multiple vulnerabilities</topic>
<affects>