From nobody Thu Aug 31 11:22:52 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RbzKm6kdpz4s4Qx; Thu, 31 Aug 2023 11:22:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RbzKm6VLGz3KXs; Thu, 31 Aug 2023 11:22:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693480972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9uzSACR8mghoPPNb3nITe7Fg/uXNd/WaKeJ6lg4bpIM=; b=DzaeQLWQ7/3xz/Fc9zIT8c/rJOHnQKv5YFx0CdNfUf73etlfPe4c+5QJjMCHs1OOTdF/76 FHkGwb99Bf/qiz0DffEsb9rXWI8C0Dz/1k40pyis2Fl/BsFi04eWn4Wr8sy3ElDa4NzjMB C2OqZ3Uzkp8MEp5ySYwhGYRiQUO14U1dkYX3UaE1YZcNbbRgMgS4FW56qM51+gNL/daFOu XdJbuLVtrwv43vZzbzkIS+hJHwk3ENdDCe2K/u/l/9ZCRxLXecYBTyMqSxa1LTLMKqM5Ve 30RuGl920CNATcpdAFz2FyWbrfSTj9IKJArAsas4Q/9wi5XiDLG7KWU5q8pZlg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693480972; a=rsa-sha256; cv=none; b=cS5WusTqpfg4L6XGOVXNdwu1qIDemBlZhSXqDbd38wtOQufTJ3/C0nRTm9e3b8e9bAni1c Z0HMsrmHy5fyAnsm5fpUK6mWR0XrTJAY3BKy6WxOpEfjlVKfJvijnnzgi8p4MsXfcwJbF5 LWx2xIMm/BXRZqR98grnxzetFyCMeg0XEpIaGOu1sMQA/e/ph5O3YbhwLeXtkkWn20k1PM 3rkY+SlSj8vS9qYetf1/pxqHvSytuE+jB+tYU7ihZM6XsOpaQd7nYXvHk3MgVokPAyIveq 93CtJDQzj/N/jEqpMjfxrMxl4JqGYcjNMyjCi4jCA7u1t61AzVqtl/LrZXQ9sQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693480972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9uzSACR8mghoPPNb3nITe7Fg/uXNd/WaKeJ6lg4bpIM=; b=ijtkfFccoCIQk0ANbQrwFyEstjBXeZGnrmHRm6G92oooXmqOvmEcCmMPFfMJqB4iWRoI1o KotBvK/mfiWlO2BiBIkUYMyDyvAEi3IthTotd31DGW621QAHLeRfgx0qGFBi/rZ9oatXVz y0yQolHmkS3zaMw/TMsEWy3yD2OIgzTzUfNESpzFCHXnTryBLwjgKuXe1G/mvsyN9xPVMG MfPoQe8+2FdzePkuLOo5N3w7dm9O0CrI7z78/Ddary+C549u/OocrocJwUKtnly/mvU3DV 7HnMi1WKhSOCFb0JDC8qmBavSf0FpEsPVH5cbGN1sE33Fhd0NbX4vT/w0yVCdg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RbzKm5Y6Bz1PQ; Thu, 31 Aug 2023 11:22:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37VBMqn3034064; Thu, 31 Aug 2023 11:22:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37VBMqDp034061; Thu, 31 Aug 2023 11:22:52 GMT (envelope-from git) Date: Thu, 31 Aug 2023 11:22:52 GMT Message-Id: <202308311122.37VBMqDp034061@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Kai Knoblich Subject: git: 8862a8fe47b8 - main - security/vuxml: Document 18 py*-* vulnerabilities List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kai X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8862a8fe47b89e74fb40d1cd003f254f817c7290 Auto-Submitted: auto-generated The branch main has been updated by kai: URL: https://cgit.FreeBSD.org/ports/commit/?id=8862a8fe47b89e74fb40d1cd003f254f817c7290 commit 8862a8fe47b89e74fb40d1cd003f254f817c7290 Author: Hubert Tournier AuthorDate: 2023-08-31 11:13:29 +0000 Commit: Kai Knoblich CommitDate: 2023-08-31 11:13:29 +0000 security/vuxml: Document 18 py*-* vulnerabilities Vulnerable Python ports discovered with pysec2vuxml. See also: . PR: 270923 Co-Authored by: kai --- security/vuxml/vuln/2023.xml | 607 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 607 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 296d96b8a70b..331c22892c06 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,610 @@ + + py-WsgiDAV -- XSS vulnerability + + + py37-WsgiDAV + py38-WsgiDAV + py39-WsgiDAV + py310-WsgiDAV + py311-WsgiDAV + 4.1.0 + + + + +
+

Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks.

+
+ +
+ + CVE-2022-41905 + https://osv.dev/vulnerability/GHSA-xx6g-jj35-pxjv + + + 2022-11-11 + 2023-08-31 + +
+ + + py-wagtail -- stored XSS vulnerability + + + py37-wagtail + py38-wagtail + py39-wagtail + py310-wagtail + py311-wagtail + 4.1.4 + 4.2.04.2.2 + + + + +
+

A stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface.

+

A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials.

+

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled.

+

For page, the vulnerability is in the "Choose a parent page" ModelAdmin view, available when managing pages via ModelAdmin.

+

For documents, the vulnerability is in the ModelAdmin Inspect view when displaying document fields.

+
+ +
+ + CVE-2023-28836 + https://osv.dev/vulnerability/GHSA-5286-f2rf-35c2 + + + 2023-04-03 + 2023-08-31 + +
+ + + py-wagtail -- DoS vulnerability + + + py37-wagtail + py38-wagtail + py39-wagtail + py310-wagtail + py311-wagtail + 4.2.04.2.2 + + + + +
+

A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents.

+

For both images and documents, files are loaded into memory during upload for additional processing.

+

A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service.

+

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

+

It can only be exploited by admin users with permission to upload images or documents.

+

Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code.

+
+ +
+ + CVE-2023-28837 + https://osv.dev/vulnerability/GHSA-33pv-vcgh-jfg9 + + + 2023-04-03 + 2023-08-31 + +
+ + + py-treq -- sensitive information leak vulnerability + + + py37-treq + py38-treq + py39-treq + py310-treq + py311-treq + 22.1.0 + + + + +
+

Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary.

+

Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies").

+

This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.

+
+ +
+ + CVE-2022-23607 + https://osv.dev/vulnerability/GHSA-fhpf-pp6p-55qc + + + 2022-02-01 + 2023-08-31 + +
+ + + py-Scrapy -- DoS vulnerability + + + py37-Scrapy + py38-Scrapy + py39-Scrapy + py310-Scrapy + py311-Scrapy + 2.8.0 + + + + +

kmike and nramirezuy report:

+
+

Scrapy 1.4 allows remote attackers to cause a denial of service (memory consumption) via large files because arbitrarily many files are read into memory, which is especially problematic if the files are then individually written in a separate thread to a slow storage resource, as demonstrated by interaction between dataReceived (in core/downloader/handlers/http11.py) and S3FilesStore.

+
+ +
+ + CVE-2017-14158 + https://osv.dev/vulnerability/PYSEC-2017-83 + https://osv.dev/vulnerability/GHSA-h7wm-ph43-c39p + + + 2017-09-05 + 2023-08-31 + +
+ + + py-Scrapy -- exposure of sensitive information vulnerability + + + py37-Scrapy + py38-Scrapy + py39-Scrapy + py310-Scrapy + py311-Scrapy + 2.6.1 + + + + +

ranjit-git reports:

+
+

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.

+
+ +
+ + CVE-2022-0577 + https://osv.dev/vulnerability/PYSEC-2022-159 + https://osv.dev/vulnerability/GHSA-cjvr-mfj7-j4j8 + + + 2022-03-02 + 2023-08-31 + +
+ + + py-Scrapy -- cookie injection vulnerability + + + py37-Scrapy + py38-Scrapy + py39-Scrapy + py310-Scrapy + py311-Scrapy + 1.8.2 + 2.0.02.6.0 + + + + +
+

Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from `example.co.uk`, given its public domain name suffix is `co.uk`) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.

+
+ +
+ + https://osv.dev/vulnerability/GHSA-mfjm-vh54-3f96 + + + 2022-03-01 + 2023-08-31 + +
+ + + py-Scrapy -- credentials leak vulnerability + + + py37-Scrapy + py38-Scrapy + py39-Scrapy + py310-Scrapy + py311-Scrapy + 1.8.3 + 2.0.02.6.2 + + + + +
+

When the built-in HTTP proxy downloader middleware processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set.

+

There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request.

+

Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware.

+

These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, causing the credentials of one proxy to be leaked to a different proxy.

+

If you rotate proxies from different proxy providers, and any of those proxies requires credentials, you are affected, unless you are handling proxy rotation as described under **Workarounds** below.

+

If you use a third-party downloader middleware for proxy rotation, the same applies to that downloader middleware, and installing a patched version of Scrapy may not be enough;

+

patching that downloader middlware may be necessary as well.

+
+ +
+ + https://osv.dev/vulnerability/GHSA-9x8m-2xpf-crp3 + + + 2022-07-29 + 2023-08-31 + +
+ + + py-httpx -- input validation vulnerability + + + py37-httpx013 + py38-httpx013 + py39-httpx013 + py310-httpx013 + py311-httpx013 + 0.20.0 + + + + +

lebr0nli reports:

+
+

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.

+
+ +
+ + CVE-2021-41945 + https://osv.dev/vulnerability/PYSEC-2022-183 + https://osv.dev/vulnerability/GHSA-h8pj-cxx2-jfg2 + + + 2022-04-28 + 2023-08-31 + +
+ + + py-httpie -- exposure of sensitive information vulnerabilities + + + py37-httpie + py38-httpie + py39-httpie + py310-httpie + py311-httpie + 3.1.0 + + + + +

Glyph reports:

+
+

HTTPie is a command-line HTTP client.

+

HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage.

+

Before 3.1.0, HTTPie didn't distinguish between cookies and hosts they belonged.

+

This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website.

+

Users are advised to upgrade.

+

There are no known workarounds.

+
+
+

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.

+
+ +
+ + CVE-2022-24737 + https://osv.dev/vulnerability/PYSEC-2022-34 + https://osv.dev/vulnerability/GHSA-9w4w-cpc8-h2fq + CVE-2022-0430 + https://osv.dev/vulnerability/PYSEC-2022-167 + https://osv.dev/vulnerability/GHSA-6pc9-xqrg-wfqw + + + 2022-03-07 + 2023-08-31 + +
+ + + py-flask-security -- user redirect to arbitrary URL vulnerability + + + py37-flask-security + py38-flask-security + py39-flask-security + py310-flask-security + py311-flask-security + 3.0.0_1 + + + + +

Snyk reports:

+
+

This affects all versions of package Flask-Security.

+

When using the `get_post_logout_redirect` and `get_post_login_redirect` functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as `\\\evil.com/path`.

+

This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using `'autocorrect_location_header=False`.

+

**Note:** Flask-Security is not maintained anymore.

+
+ +
+ + CVE-2021-23385 + https://osv.dev/vulnerability/GHSA-cg8c-gc2j-2wf7 + + + 2022-08-02 + 2023-08-31 + +
+ + + py-Flask-Cors -- directory traversal vulnerability + + + py37-Flask-Cors + py38-Flask-Cors + py39-Flask-Cors + py310-Flask-Cors + py311-Flask-Cors + 3.0.9 + + + + +

praetorian-colby-morgan reports:

+
+

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9.

+

It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

+
+ +
+ + CVE-2020-25032 + https://osv.dev/vulnerability/PYSEC-2020-43 + https://osv.dev/vulnerability/GHSA-xc3p-ff3m-f46v + + + 2020-08-31 + 2023-08-31 + +
+ + + py-flask-caching -- remote code execution or local privilege escalation vulnerabilities + + + py37-flask-caching + py38-flask-caching + py39-flask-caching + py310-flask-caching + py311-flask-caching + 2.0.2 + + + + +

subnix reports:

+
+

The Flask-Caching extension through 2.0.2 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation.

+

If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.

+
+ +
+ + CVE-2021-33026 + https://osv.dev/vulnerability/PYSEC-2021-13 + https://osv.dev/vulnerability/GHSA-656c-6cxf-hvcv + + + 2021-05-13 + 2023-08-31 + +
+ + + py-django-photologue -- XSS vulnerability + + + py37-django-photologue + py38-django-photologue + py39-django-photologue + py310-django-photologue + py311-django-photologue + 3.15_1 + + + + +

domiee13 reports:

+
+

A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic.

+

Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler.

+

The manipulation of the argument object.caption leads to cross site scripting.

+

The attack may be launched remotely.

+

Upgrading to version 3.16 is able to address this issue.

+

The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7.

+

It is recommended to apply a patch to fix this issue.

+

VDB-215906 is the identifier assigned to this vulnerability.

+
+ +
+ + CVE-2022-4526 + https://osv.dev/vulnerability/GHSA-287q-jfcp-9vhv + + + 2022-12-15 + 2023-08-31 + +
+ + + py-pygments -- multiple DoS vulnerabilities + + + py37-pygments + py38-pygments + py39-pygments + py310-pygments + py311-pygments + 2.7.4 + + + py37-pygments-25 + py38-pygments-25 + py39-pygments-25 + py310-pygments-25 + py311-pygments-25 + 2.7.4 + + + + +

Red Hat reports:

+
+

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

+
+

Ben Caller reports:

+
+

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.

+

Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.

+

By crafting malicious input, an attacker can cause a denial of service.

+
+ +
+ + CVE-2021-20270 + https://osv.dev/vulnerability/PYSEC-2021-140 + https://osv.dev/vulnerability/GHSA-9w8r-397f-prfh + CVE-2021-27291 + https://osv.dev/vulnerability/PYSEC-2021-141 + https://osv.dev/vulnerability/GHSA-pq64-v7f5-gqh8 + + + 2021-03-17 + 2023-08-31 + +
+ + + py-markdown2 -- regular expression denial of service vulnerability + + + py37-markdown2 + py38-markdown2 + py39-markdown2 + py310-markdown2 + py311-markdown2 + 2.4.0 + + + + +

Ben Caller reports:

+
+

markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability.

+

If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.

+
+ +
+ + CVE-2021-26813 + https://osv.dev/vulnerability/PYSEC-2021-20 + https://osv.dev/vulnerability/GHSA-jr9p-r423-9m2r + + + 2021-03-03 + 2023-08-31 + +
+ + + py-markdown2 -- XSS vulnerability + + + py37-markdown2 + py38-markdown2 + py39-markdown2 + py310-markdown2 + py311-markdown2 + 2.3.9 + + + + +

TheGrandPew reports:

+
+

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds.

+

For example, an attack might use elementname@ or elementname- with an onclick attribute.

+
+ +
+ + CVE-2020-11888 + https://osv.dev/vulnerability/PYSEC-2020-65 + https://osv.dev/vulnerability/GHSA-fv3h-8x5j-pvgq + + + 2020-04-20 + 2023-08-31 + +
+ + + py-dparse -- REDoS vulnerability + + + py37-dparse + py38-dparse + py39-dparse + py310-dparse + py311-dparse + 0.5.2 + + + + +

yeisonvargasf reports:

+
+

dparse is a parser for Python dependency files.

+

dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service.

+

All the users parsing index server URLs with dparse are impacted by this vulnerability.

+

Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.

+
+ +
+ + CVE-2022-39280 + https://osv.dev/vulnerability/PYSEC-2022-301 + https://osv.dev/vulnerability/GHSA-8fg9-p83m-x5pq + + + 2022-10-06 + 2023-08-31 + +
+ FreeBSD -- Network authentication attack via pam_krb5