From nobody Mon Apr 10 06:41:39 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PvzsJ5DG6z44sW1; Mon, 10 Apr 2023 06:41:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PvzsH53Yjz4TP8; Mon, 10 Apr 2023 06:41:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681108899; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=smghDQDrYNUazyPSnXY7SN+p8NIs4eyWqgIkJYymfDU=; b=mC5lFYBmOck+1f5VoTvGfp+KrdfMD+4LZX9yy7bw985VbjOobPV7Odj8hji7sWJNKx5unk pphCVKy2OjslzOer6pkbcfH6N82wM5gsz1XfzyBP6VW2dc1CrtzFHQlJdSyiAU9toPGvoV AER9jb9xmaO7dYxt8EfAKzAfkABzTwR/vNMFmIs2b7oqs3x0GTrPDovtvycaQdaTg+PyQ1 lff63Prh7M/QyBTMtdcGy2klheah58B/rACFYrX6C/AiGEH2tnwR/yf8GizjCogC6raxs9 VfMHDHYVdkzrurBZZw8qtHQ7iQ+MvKF0sv/46tci7gJOz9lohRqdQ/7EaLXm/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681108899; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=smghDQDrYNUazyPSnXY7SN+p8NIs4eyWqgIkJYymfDU=; b=MPw+ez4vR+bsHjWx7p7chT/H/nTxMmREmq0glfauAlQwe9OtHKT8Ql2R5xJYDRZvmjk24t kUJUnEYPtLk76GtIfpTxaKrCCYx8sbjZjuo61/EwBw+zot0h49WH2lwNWR8oiqOQTDeyNK F5dk5kivbeaMkjUs5vvwVtkoXDcHxk+ZVhR5bEavRSqR7KQVgaUFgCLzWlOnRWtL5yl8zL WRElYgB74zi3TKh8Pt2l2LtXVHpa6w8fni4rlH2wvq8f9pdYsrkeRsCAtCj9/9uATQPQlD 8lqx3eUCntMbaqFdG5ku+hEtr/n27wbtf9WeYp/CZyZvMy7J9JzLPq/2nlOotw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681108899; a=rsa-sha256; cv=none; b=CW7tTcm3+LF6emovjeXG9EbyEByNzoztNCXkBF+TffVF3UONFbw/ixTOjl776DVgdaiuKp Q6zr0z28qx9Ewmv5rvCRS9B/HkpMV/X+v0I6ZhyjFo+6OAmSNNn3ECv21luQn0VgmOk6Rr C9FsmQN+buU1+r/yELBzDKpl8BVLnZiWdi0ve0aNWpXcxnMXsUxw31OmZEkTkoypxF35L0 XCr/V+tH6cXywLp9UDw7P928izLV6fS9E+/D3c+Q38Y9EhVPzYjBrWaq0TG32qn25jHJ90 JVT4NeLsIV1TFjejaQe0Ta5dZ3xQS91RvzUOIbZRT45bBZwl9PjBq+BiixMCfQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PvzsH446kzfth; Mon, 10 Apr 2023 06:41:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33A6fded082606; Mon, 10 Apr 2023 06:41:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33A6fdbg082605; Mon, 10 Apr 2023 06:41:39 GMT (envelope-from git) Date: Mon, 10 Apr 2023 06:41:39 GMT Message-Id: <202304100641.33A6fdbg082605@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Philip Paeps Subject: git: e79c831d316e - main - security/vuxml: document 20 py*-* vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e79c831d316e20f53599db90a6083a274d5426cd Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=e79c831d316e20f53599db90a6083a274d5426cd commit e79c831d316e20f53599db90a6083a274d5426cd Author: Hubert Tournier AuthorDate: 2023-04-10 06:35:10 +0000 Commit: Philip Paeps CommitDate: 2023-04-10 06:38:03 +0000 security/vuxml: document 20 py*-* vulnerabilities Vulnerable Python ports discovered with pysec2vuxml. See also: . PR: 270723 --- security/vuxml/vuln/2023.xml | 598 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 598 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 51a973a648f8..f98e21ff05c2 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,601 @@ + + py39-cinder -- insecure-credentials flaw + + + py39-cinder + 14.1.0 + 15.0.015.2.0 + 16.0.015.1.0 + + + + +

OpenStack project reports:

+
+

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0.

+

When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element.

+

This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume.

+

Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint.

+
+ + + + CVE-2020-10755 + https://osv.dev/vulnerability/PYSEC-2020-228 + + + 2020-06-10 + 2023-04-09 + + + + + py39-OWSLib -- arbitrary file read vulnerability + + + py39-OWSLib + 0.28.1 + + + + +

Jorge Rosillo reports:

+
+

OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload.

+

This affects all XML parsing in the codebase.

+
+ + + + CVE-2023-27476 + https://osv.dev/vulnerability/GHSA-8h9c-r582-mggc + + + 2023-03-07 + 2023-04-09 + + + + + py39-unicorn -- sandbox escape and arbitrary code execution vulnerability + + + py39-unicorn + 2.0.0rc1 + + + + +

jwang-a reports:

+
+

An issue was discovered in split_region in uc.c in Unicorn Engine before 2.0.0-rc5.

+

It allows local attackers to escape the sandbox.

+

An attacker must first obtain the ability to execute crafted code in the target sandbox in order to exploit this vulnerability.

+

The specific flaw exists within the virtual memory manager.

+

The issue results from the faulty comparison of GVA and GPA while calling uc_mem_map_ptr to free part of a claimed memory block.

+

An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code on the host machine.

+
+ + + + CVE-2021-44078 + https://osv.dev/vulnerability/PYSEC-2021-868 + + + 2021-12-26 + 2023-04-09 + + + + + py39-pycares -- domain hijacking vulnerability + + + py39-pycares + 4.2.0 + + + + +

Philipp Jeitner and Haya Shulman report:

+
+

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.

+

The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

+
+ + + + CVE-2021-3672 + https://osv.dev/vulnerability/GHSA-c58j-88f5-h53f + + + 2021-06-11 + 2023-04-09 + + + + + py39-setuptools -- denial of service vulnerability + + + py39-setuptools + 65.5.1 + + + + +

SCH227 reports:

+
+

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

+

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

+

This has been patched in version 65.5.1.

+
+ + + + CVE-2022-40897 + https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 + + + 2022-12-23 + 2023-04-09 + + + + + py27-setuptools44 -- denial of service vulnerability + + + py27-setuptools44 + 65.5.1 + + + + +

SCH227 reports:

+
+

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

+

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

+

This has been patched in version 65.5.1.

+
+ + + + CVE-2022-40897 + https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 + + + 2022-12-23 + 2023-04-09 + + + + + py39-setuptools58 -- denial of service vulnerability + + + py39-setuptools58 + 65.5.1 + + + + +

SCH227 reports:

+
+

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.

+

Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in `package_index`.

+

This has been patched in version 65.5.1.

+
+ + + + CVE-2022-40897 + https://osv.dev/vulnerability/GHSA-r9hx-vwmv-q579 + + + 2022-12-23 + 2023-04-09 + + + + + py39-sentry-sdk -- sensitive cookies leak + + + py39-sentry-sdk + 1.14.0 + + + + +

Tom Wolters reports:

+
+

When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry.

+

These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application.

+
+ + + + CVE-2023-28117 + https://osv.dev/vulnerability/GHSA-29pr-6jr8-q5jm + + + 2023-03-21 + 2023-04-09 + + + + + py39-py -- Regular expression Denial of Service vulnerability + + + py39-py + 1.11.0 + + + + +

SCH227 reports:

+
+

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

+
+ + + + CVE-2022-42969 + https://osv.dev/vulnerability/PYSEC-2022-42969 + https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6 + + + 2022-11-04 + 2023-04-09 + + + + + py39-joblib -- arbitrary code execution + + + py39-joblib + 1.2.0 + + + + +

jimlinntu reports:

+
+

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

+
+ + + + CVE-2022-21797 + https://osv.dev/vulnerability/PYSEC-2022-288 + https://osv.dev/vulnerability/GHSA-6hrg-qmvc-2xh8 + + + 2022-09-26 + 2023-04-09 + + + + + py39-configobj -- vulnerable to Regular Expression Denial of Service + + + py39-configobj + 5.0.6_1 + + + + +

DarkTinia reports:

+
+

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).

+

**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

+
+ + + + CVE-2023-26112 + https://osv.dev/vulnerability/GHSA-c33w-24p9-8m24 + + + 2023-04-03 + 2023-04-09 + + + + + py39-celery -- command injection vulnerability + + + py39-celery + 5.2.2 + + + + +

Snyk reports:

+
+

This affects the package celery before 5.2.2.

+

It by default trusts the messages and metadata stored in backends (result stores).

+

When reading task metadata from the backend, the data is deserialized.

+

Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

+
+ + + + CVE-2021-23727 + https://osv.dev/vulnerability/PYSEC-2021-858 + https://osv.dev/vulnerability/GHSA-q4xr-rc97-m4xx + + + 2021-12-09 + 2023-04-09 + + + + + py39-redis -- can send response data to the client of an unrelated request + + + py39-redis + 4.4.04.4.4 + 4.5.04.5.4 + + + + +

drago-balto reports:

+
+

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request.

+

NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

+
+ + + + CVE-2023-28859 + https://osv.dev/vulnerability/GHSA-8fww-64cx-x8p5 + + + 2023-03-26 + 2023-04-09 + + + + + py39-redis -- can send response data to the client of an unrelated request + + + py39-redis + 4.3.6 + 4.4.04.4.3 + 4.5.04.5.3 + + + + +

drago-balto reports:

+
+

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner.

+

The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665).

+

CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

+
+ + + + CVE-2023-28858 + https://osv.dev/vulnerability/GHSA-24wv-mv5m-xv4h + + + 2023-03-26 + 2023-04-09 + + + + + py39-sqlalchemy12 -- multiple SQL Injection vulnerabilities + + + py39-sqlalchemy12 + 1.3.0 + + + + +

21k reports:

+
+

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

+
+

nosecurity reports:

+
+

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

+
+ + + + CVE-2019-7548 + CVE-2019-7164 + https://osv.dev/vulnerability/PYSEC-2019-123 + https://osv.dev/vulnerability/PYSEC-2019-124 + https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q + https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf + + + 2019-02-06 + 2023-04-09 + + + + + py39-sqlalchemy11 -- multiple SQL Injection vulnerabilities + + + py39-sqlalchemy11 + 1.3.0 + + + + +

21k reports:

+
+

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

+
+

nosecurity reports:

+
+

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

+
+ + + + CVE-2019-7164 + CVE-2019-7548 + https://osv.dev/vulnerability/PYSEC-2019-123 + https://osv.dev/vulnerability/PYSEC-2019-124 + https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q + https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf + + + 2019-02-06 + 2023-04-09 + + + + + py39-sqlalchemy10 -- multiple SQL Injection vulnerabilities + + + py39-sqlalchemy10 + 1.3.0 + + + + +

21k reports:

+
+

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

+
+

nosecurity reports:

+
+

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

+
+ + + + CVE-2019-7164 + CVE-2019-7548 + https://osv.dev/vulnerability/PYSEC-2019-123 + https://osv.dev/vulnerability/PYSEC-2019-124 + https://osv.dev/vulnerability/GHSA-887w-45rq-vxgf + https://osv.dev/vulnerability/GHSA-38fc-9xqv-7f7q + + + 2019-02-06 + 2023-03-28 + + + + + py39-lmdb -- multiple vulnerabilities + + + py39-lmdb + 0.98 + + + + +

TeamSeri0us reports:

+
+

An issue was discovered in py-lmdb 0.97. For certain values of md_flags, mdb_node_add does not properly set up a memcpy destination, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

+
+
+

An issue was discovered in py-lmdb 0.97. For certain values of mp_flags, mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

+
+
+

An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate a memmove in the case of an unexpected node->mn_hi, leading to an invalid write operation. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

+
+
+

An issue was discovered in py-lmdb 0.97. For certain values of mn_flags, mdb_cursor_set triggers a memcpy with an invalid write operation within mdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

+
+
+

An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error in the function mdb_env_open2 if mdb_env_read_header obtains a zero value for a certain size field. NOTE: this outcome occurs when accessing a data.mdb file supplied by an attacker.

+
+ + + + CVE-2019-16224 + https://osv.dev/vulnerability/PYSEC-2019-236 + CVE-2019-16225 + https://osv.dev/vulnerability/PYSEC-2019-237 + CVE-2019-16226 + https://osv.dev/vulnerability/PYSEC-2019-238 + CVE-2019-16227 + https://osv.dev/vulnerability/PYSEC-2019-239 + CVE-2019-16228 + https://osv.dev/vulnerability/PYSEC-2019-240 + + + 2019-09-11 + 2023-03-26 + + + + + py39-Elixir -- weak use of cryptography + + + py39-Elixir + 0.8.0 + + + + +

Red Hat Security Response Team reports:

+
+

Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.

+
+ + + + CVE-2012-2146 + https://osv.dev/vulnerability/PYSEC-2012-13 + + + 2012-08-26 + 2023-03-26 + + + + + py39-rencode -- infinite loop that could lead to Denial of Service + + + py39-rencode + 1.0.6_1 + + + + +

NIST reports:

+
+

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

+
+ + + + CVE-2021-40839 + https://osv.dev/vulnerability/PYSEC-2021-345 + https://osv.dev/vulnerability/GHSA-gh8j-2pgf-x458 + + + 2021-09-09 + 2023-03-25 + 2023-03-26 + + + chromium -- multiple vulnerabilities