vulnerabilities.yaml

# Vulnerabilities: http://www.itsecdb.com/oval/definitions/product-18230/0/Python-Python.html?class=5

# Template to add a new vulnerability:
# - name: "xxx"
#   slug: xxx
#   # CVE can be a single string or a list
#   cve: xxx
#   # GitHub issue number
#   gh: xxx
#   links:
#     - xxx
#   fixed-in:
#    - '3.x': xxx
#    - '3.y': xxx
#   description: |
#     xxx
#     xxx
#     xxx
#
# There are many optional fields:
#
# - name: ""
#   slug:
#   # CVE can be a single string or a list
#   cve:
#   # GitHub issue number
#   gh:
#   links:
#     -
#   disclosure: "" -- optional, use bpo if missing
#   reported-at: ""
#   reported-by: ""
#   fixed-in:
#    - '3.x': commit_sha1
#    - '3.y': commit_sha1
#   affected-versions:
#    - "x.y"
#   description: |
#
# For old issues, "bpo: xxx" is also supposed for links to bugs.python.org.
#
# Other tag: "ignore-python3: true", used for modules removed from Python 3

- name: "urllib FTP protocol stream injection"
  slug: urllib-ftp-stream-injection
  cve:
  # Bug number at bugs.python.org (bpo)
  bpo: 30119
  links:
    - http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
    - http://www.openwall.com/lists/oss-security/2017/02/20/1
    - https://bugzilla.redhat.com/show_bug.cgi?id=1478916
  disclosure: "2017-02-20 (blog post, mail to oss-security)"
  reported-at: "2016-01-15 (email sent to the PSRT list)"
  reported-by: "Timothy D. Morgan (Blindspot)"
  fixed-in:
   - '2.7': e5eae474c431af2880a68f6329840b9288fc4bc1
   - '3.3': a4e774f86224cd8c997deaa4e71312cf1a7b023c
   - '3.4': 2a5a26c87e82c7d9a348792891feccd1b5e9a769
   - '3.5': 19b2890014d3098147d16475c492a47a43893768
   - '3.6': 8c2d4cf092c5f0335e7982392a33927579c4d512
   - '3.7': 2b1e6e9696cb433c0e0da11145157d54275d119f
  description: |
    FTP protocol stream injection via malicious URLs.

- name: "bpo-30500: urllib connects to a wrong host"
  slug: urllib-connects-wrong-host
  bpo: 30500
  reported-at: 2017-03-04 (Orange Tsai on the PSRT list)
  description: |
    The urllib module doesn't parse correctly password containing the ``#``
    character.
  fixed-in:
    - '3.7': 90e01e50ef8a9e6c91f30d965563c378a4ad26de
    - '3.6': b0fba8874a4bd6bf4773e6efdbd8fa762e9f05bd
    - '3.5': 4899d847ed3f56b2a712799f896aa1f28540a5c0
    - '3.4': cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
    - '3.3': 052f9d6860c48c5abcff8e16212e77cf4249d66c
    - '2.7': d4324baca4c03eb8d55446cd1b74b32ec5633af5

- name: "smtplib TLS stripping"
  slug: smtplib-tls-stripping
  cve: CVE-2016-0772
  disclosure: 2016-06-11 (commit date)
  reported-at: 2016-02-01 (Red Hat issue reported)
  reported-by: Tin (Team Oststrom)
  links:
    - http://seclists.org/oss-sec/2016/q2/541
    - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772
  description: |
    A vulnerability in smtplib allowing MITM attacker to perform a startTLS
    stripping attack. smtplib does not seem to raise an exception when the
    remote end (SMTP server) is capable of negotiating starttls but fails to
    respond with 220 (ok) to an explicit call of SMTP.starttls(). This may
    allow a malicious MITM to perform a startTLS stripping attack if the client
    code does not explicitly check the response code for startTLS.

  fixed-in:
    - '2.7': 2e1b7fc998e1744eeb3bb31b131eba0145b88a2f
    - '3.3': 3625f7fd11679ecb390ffa58ef36d487acc8159b
    - '3.4': 46b32f307c48bcb999b22eebf65ffe8ed5cca544

- name: "Issue #26657: HTTP server directory traversal"
  slug: http-server-directory-traversal
  bpo: 26657
  fixed-in:
    - '2.7': 0cf2cf2b7d726d12a6046441e4067d32c7dd4feb
    - '3.4': 6f6bc1da8aaae52664e7747e328d26eb59c0e74f
    - '3.5': d274b3f1f1e2d8811733fb952c9f18d7da3a376a
    - '3.3': 7b92f9fa47df754b50c64aac84cf1c09693571af
  description: |
    Fix directory traversal vulnerability with ``http.server`` and
    ``SimpleHTTPServer`` on Windows.

    Regression of Python 3.3.5.

    Python issue reported at 2016-03-14.

- name: "Issue #26556: Expat 2.1.1"
  slug: expat-2.1.1
  cve: CVE-2015-1283
  bpo: 26556
  links:
    - https://sourceforge.net/p/expat/bugs/528/
  reported-at: "2015-07-24 (Expat issue #528 reported)"
  reported-by: David Dillard (Expat issue)
  fixed-in:
    - '2.7': d244a8f7cb0ec6979ec9fc7acd39e95f5339ad0e
    - '3.4': 196d7db3956f4c0b03e87b570771b3460a61bab5
    - '3.3': ab90986600ba7dea2aa41e5c1773791070725453
  description: |
    Multiple integer overflows have been discovered in Expat, an XML parsing C
    library, which may result in denial of service or the execution of
    arbitrary code if a malformed XML file is processed.

    Update bundled copy of Expat library to version 2.1.1 to get CVE-2015-1283
    fixes.

- name: "HTTP header injection"
  slug: http-header-injection
  cve: CVE-2016-5699
  bpo: 22928
  links:
    - http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
  redhat-impact: "Moderate"
  fixed-in:
    - '2.7': 59bdf6392de446de8a19bfa37cee52981612830e
    - '3.4': a112a8ae47813f75aa8ad27ee8c42a7c2e937d13
    - '3.5': b669bfc2bed1f5487ac2762bff53b55f6155bb60
    - '3.3': 8e88f6b5e2a35ee458c161aa3f2b7f1f17fb45d1
  description: |
    HTTP header injection in ``urllib``, ``urrlib2``, ``httplib`` and
    ``http.client`` modules.

    CRLF injection vulnerability in the ``HTTPConnection.putheader()`` function
    in ``urllib2`` and ``urllib`` in CPython before 2.7.10 and 3.x before 3.4.4
    allows remote attackers to inject arbitrary HTTP headers via CRLF sequences
    in a URL.

    Reported again in January 2016 by Timothy D. Morgan (Blindspot Security),
    with a full disclosed at 2016-06-15.

- name: "Hash DoS"
  slug: hash-dos
  cve: CVE-2012-1150
  disclosure: 2011-12-28 (CCC talk)
  reported-by: Alexander “alech” Klink and Julian “zeri” Wälde
  bpo: 13703
  links:
   - https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
   - http://www.ocert.org/advisories/ocert-2011-003.html
  fixed-in:
    - '2.6': 1e13eb084f72d5993cbb726e45b36bdb69c83a24
    - '2.7': 2daf6ae2495c862adf8bc717bfe9964081ea0b10
  description: |
    Hash collision denial of service.

    Python 2.7 and older and Python 3.2 and older require the ``-R`` command
    line option to enable the enable hash function randomization. Randomization
    is enabled by default since Python 3.3 (the ``-R`` option is ignored).

    "Effective Denial of Service attacks against web application platforms"
    talk at the CCC: 2011-12-28

    See also the `PEP 456: Secure and interchangeable hash algorithm
    <https://www.python.org/dev/peps/pep-0456/>`_: Python 3.4 switched to
    `SipHash <https://131002.net/siphash/>`_.

    * Ruby: CRuby 1.9 fixed the vulnerability in 2008 with randomized hash
      function; JRuby has also been fixed.
    * Perl: Perl 5.8.1 fixed the vulnerability in 2003 using a random
      "PERL_HASH_SEED".

- name: "zipimporter overflow"
  slug: zipimporter-overflow
  cve: CVE-2016-5636
  bpo: 26171
  fixed-in:
   - '2.7': 64ea192b73e39e877d8b39ce6584fa580eb0e9b4
   - '3.3': d751040b1a4e35fd3b01fc919cd8f9374ed714fd
   - '3.4': c4032da2012d75c6c358f74d8bf9ee98a7fe8ecf
  description: |
    Heap overflow in ``zipimporter`` module.

- name: "smtplib unlimited read"
  slug: smtplib-unlimited-read
  cve: CVE-2013-1752
  bpo: 16042
  links:
    - https://access.redhat.com/security/cve/cve-2013-1752
  redhat-impact: "Moderate"
  fixed-in:
    - '2.7': dabfc56b57f5086eb5522d8e6cd7670c62d2482d
    - '3.2': 210ee47e3340d8e689d8cce584e7c918d368f16b
  description: |
    The smtplib module doesn't limit the amount of read data in
    its call to readline(). An erroneous or malicious SMTP server can trick the
    smtplib module to consume large amounts of memory.

- name: "httplib unlimited read"
  slug: httplib-unlimited-read
  cve: CVE-2013-1752
  bpo: 6791
  redhat-impact: "Moderate"
  fixed-in:
    - '2.7': d7b6ac66c1b81d13f2efa8d9ebba69e17c158c0a
    - '3.2': ff1bbba92aad261df1ebd8fd8cc189c104e113b0
    - '3.3': 5466bf1c94d38e75bc053b0cfc163e2f948fe345
  description: |
    Limit the HTTP header readline.

- name: "ftplib unlimited read"
  slug: ftplib-unlimited-read
  cve: CVE-2013-1752
  bpo: 16038
  links:
    - https://access.redhat.com/security/cve/cve-2013-1752
  redhat-impact: "Moderate"
  fixed-in:
   - '2.7': 2585e1e48abb3013abeb8a1fe9dccb5f79ac4091
   - '3.2': c9cb18d3f7e5bf03220c213183ff0caa75905bdd
   - '3.3': c30b178cbc92e62c22527cd7e1af2f02723ba679
  description: |
    ftplib: unlimited read from connection.

- name: "nntplib unlimited read"
  slug: nntplib-unlimited-read
  cve: CVE-2013-1752
  bpo: 16040
  links:
    - https://access.redhat.com/security/cve/cve-2013-1752
  redhat-impact: "Moderate"
  fixed-in:
   - '2.7': 42faa55124abcbb132c57745dec9e0489ac74406
   - '3.2': b3ac84322fe6dd542aa755779cdbc155edca8064
  description: |
    Unlimited read from connection in nntplib.

- name: "poplib unlimited read"
  slug: poplib-unlimited-read
  cve: CVE-2013-1752
  bpo: 16041
  links:
    - https://access.redhat.com/security/cve/cve-2013-1752
  redhat-impact: "Moderate"
  fixed-in:
   - '2.7': faad6bbea6c86e30c770eb0a3648e2cd52b2e55e
   - '3.2': eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e
  description: |
    poplib: unlimited read from connection.

- name: "xmlrpc gzip unlimited read"
  slug: xmlrpc-gzip-unlimited-read
  cve: CVE-2013-1753
  bpo: 16043
  links:
    - https://access.redhat.com/security/cve/cve-2013-1753
  redhat-impact: "Moderate"
  fixed-in:
   - '2.7': 9e8f523c5b1c354097753084054eadf14d33238d
   - '3.2': 4e9cefaf86035f8014e09049328d197b6506532f
  description: |
    Add a default limit for the amount of data ``xmlrpclib.gzip_decode()`` will
    return.

- name: "JSONDecoder.raw_decode"
  slug: jsondecoder-raw_decode
  cve: CVE-2014-4616
  bpo: 21529
  disclosure: "2014-04-13 (commit)"
  redhat-impact: "Moderate"
  links:
    - https://access.redhat.com/security/cve/cve-2014-4616
  fixed-in:
   - '2.7': 6c939cb6f6dfbd273609577b0022542d31ae2802
   - '3.2': 99b5afab74428e5ddfd877bdf3aa8a8c479696b1
  reported-by: Guido Vranken
  description: |
    Fix arbitrary memory access in ``JSONDecoder.raw_decode()`` with a negative
    second parameter.

    Note: The issue #21529 was created at 2014-05-19, after the commit.

- name: gettext.c2py()
  slug: gettext-c2py
  bpo: 28563
  links:
    - https://www.xil.se/post/is-eval-safe-yet-rspkt/
  fixed-in:
   - '2.7': a8760275bd59fb8d8be1f1bf05313fed31c08321
   - '3.3': 07bcf05fcf3fd1d4001e8e3489162e6d67638285
  description: |
    Arbitrary code execution in ``gettext.c2py()``.

- name: "HTTPoxy attack"
  slug: httpoxy
  cve: CVE-2016-1000110
  bpo: 27568
  links:
    - https://httpoxy.org/
    - https://access.redhat.com/security/cve/cve-2016-1000110
  reported-by: Scott Geary (HTTPoxy)
  fixed-in:
   - '2.7': 75d7b615ba70fc5759d16dee95bbd8f0474d8a9c
   - '3.3': 4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d
  description: |
    It was discovered that the Python ``CGIHandler`` class did not properly
    protect against the ``HTTP_PROXY`` variable name clash in a CGI context.

    A remote attacker could possibly use this flaw to redirect HTTP requests
    performed by a Python CGI script to an attacker-controlled proxy via a
    malicious HTTP request.

    Ignore the ``HTTP_PROXY`` variable when ``REQUEST_METHOD`` environment is
    set, which indicates that the script is in CGI mode.

    CVSS score: 5.0 (CVSS v3).

- name: "socket.recvfrom_into() overflow"
  slug: socket-recvfrom_into-overflow
  cve: CVE-2014-1912
  bpo: 20246
  fixed-in:
   - '2.7': 28cf368c1baba3db1f01010e921f63017af74c8f
   - '3.3': fbf648ebba32bbc5aa571a4b09e2062a65fd2492
  description: |
    ``socket.recvfrom_into()`` fails to check that the supplied buffer object
    is big enough for the requested read and so will happily write off the end.

- name: "CGI directory traversal (URL parsing)"
  slug: cgi-directory-traversal-url-parsing
  bpo: 19435
  fixed-in:
   - '2.7': 1ef959ac3ddc4d96dfa1a613db5cb206cdaeb662
   - '3.2': 04e9de40f380b2695f955d68f2721d57cecbf858
  description: |
    An error in separating the path and filename of the CGI script to run in
    ``http.server.CGIHTTPRequestHandler`` allows running arbitrary executables
    in the directory under which the server was started.

- name: "ssl.match_hostname() wildcard DoS"
  slug: ssl-match_hostname-wildcard-dos
  cve: CVE-2013-2099
  bpo: 17980
  affected-versions:
   # ssl.match_hostname() was added to Python 3.2
   # The function was backported to 2.7.9 with the IDNA fix
   # (commit daeb925cc88cc8fed2030166ade641de28edb396).
   - '3.2'
  fixed-in:
   - '3.2': 86d53caddad11808ca332ab93ec35508b602a0dd
   - '3.3': 636f93c63ba286249c1207e3a903f8429efb2041
  description: |
    If the name in the certificate contains many ``*`` characters (wildcard),
    matching the compiled regular expression against the host name can take a
    very long time.

    Certificate validation happens before host name checking, so I think this
    is a minor issue only because it can only be triggered in cooperation with
    a CA (which seems unlikely).

- name: "Vulnerability in the utf-16 decoder after error handling"
  slug: utf-16-decoder-after-error-handling
  cve: CVE-2012-2135
  bpo: 14579
  disclosure: "2012-04-14"
  fixed-in:
   - '2.7': 715a63b78349952ccc0fb3dd3139e2d822006d35
   - '3.3': b4bbee25b1e3f4bccac222f806b3138fb72439d6
  description: |
    Vulnerability in the UTF-16 decoder after error handling.

- name: "XML-RPC DoS"
  slug: xmlrpc-dos
  cve: CVE-2012-0845
  bpo: 14001
  fixed-in:
   - '2.6': 66f3cc6f8de83c447d937160e4a1630c4482b5f5
   - '3.2': ec1712a1662282c909b4cd4cc0c7486646bc9246
  description: |
    A denial of service flaw was found in the way Simple XML-RPC Server module
    of Python processed client connections, that were closed prior the complete
    request body has been received. A remote attacker could use this flaw to
    cause Python Simple XML-RPC based server process to consume excessive
    amount of CPU.

- name: "ssl: NULL in subjectAltNames"
  slug: ssl-null-subjectaltnames
  cve: CVE-2013-4238
  bpo: 18709
  disclosure: "2013-06-27 (Ruby issue)"
  reported-by: Ryan Sleevi of the Google Chrome Security Team
  fixed-in:
   - '2.7': 82f88283171933127f20f866a7f98694b29cca56
   - '3.2': ec3c103520a5061e657581b388e2b8ba6f74602a
   - '3.3': 824f7f366d1b54d2d3100c3130c04cf1dfb4b47c
  description: |
    SSL module fails to handle NULL bytes inside subjectAltNames general names.

    It's related to `Ruby's CVE-2013-4073
    <http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/>`_.

    Issue #18709 reported by Christian Heimes at 2013-08-12.

- name: "ssl CBC IV attack"
  slug: ssl-cbc-iv-attack
  cve: CVE-2011-3389
  bpo: 13885
  reported-by: Apple security team
  fixed-in:
   - '2.6': d358e0554bc520768041652676ec8e6076f221a9
   - '2.7': f2bf8a6ac51530e14d798a03c8e950dd934d85cd
  description: |
    The ssl module would always disable the CBC IV attack countermeasure.
    Disable OpenSSL ``SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS`` option.

- name: "urllib redirect"
  slug: urllib-redirect
  cve: CVE-2011-1521
  bpo: 11662
  reported-by: email received on the Python security list
  fixed-in:
   - '2.5': 60a4a90c8dd2972eb4bb977e70835be9593cbbac
   - '3.1': a119df91f33724f64e6bc1ecb484eeaa30ace014
  description: |
    The Python urllib and urllib2 modules are typically used to fetch web pages
    but by default also contains handlers for ``ftp://`` and ``file://`` URL
    schemes.

    Now unfortunately it appears that it is possible for a web server to
    redirect (HTTP 302) a urllib request to any of the supported schemes.

- name: "Sweet32 attack (DES, 3DES)"
  slug: sweet32
  cve: CVE-2016-2183
  bpo: 27850
  links:
    - https://sweet32.info/
    - https://www.openssl.org/blog/blog/2016/08/24/sweet32/
  disclosure: "2016-08-24 (end of the Sweet32 embargo)"
  reported-by: Karthik Bhargavan and Gaetan Leurent (Sweet32)
  affected-versions:
   # ssl._DEFAULT_CIPHERS doesn't include 3DES in 3.3 but is quite generic
   - '2.7'
   - '3.4'
  fixed-in:
   - '2.7': d988f429fe43808345812ef63dfa8da170c61871
   - '3.5': 03d13c0cbfe912eb0f9b9a02987b9e569f25fe19
   - '3.4': fa53dbdec818b0f2a0e22ca12a49d83ec948fc91
  description: |
    Remove 3DES from ssl default cipher list.

    Sweet32 vulnerability found by Karthik Bhargavan and Gaetan Leurent from
    the `INRIA <https://www.inria.fr/>`_.

- name: "Validate TLS certificate"
  slug: validate-tls-certificate
  cve: CVE-2014-9365
  bpo: 22417
  links:
    - "`PEP 476: Enabling certificate verification by default for stdlib
       http clients <https://www.python.org/dev/peps/pep-0476/>`_"
  disclosure: "2014-08-28 (PEP 476 created)"
  reported-by: Alex Gaynor (PEP 476 author)
  fixed-in:
   - '2.7': e3e7d40514e5dd0c3847682a719577efcfae1d8f
   - '3.4': 4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd
   # WONTFIX: 3.3, backward incompatible change, too late for 3.3
  description: |
    The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4)
    xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before
    3.4.3, when accessing an HTTPS URL, do not (a) check the certificate
    against a trust store or verify that the server hostname matches a domain
    name in the subject's (b) Common Name or (c) subjectAltName field of the
    X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
    servers via an arbitrary valid certificate.

    See also the `PEP 476 -- Enabling certificate verification by default for
    stdlib http clients <https://www.python.org/dev/peps/pep-0476/>`_ and `PEP
    466: Network Security Enhancements for Python 2.7.x
    <https://www.python.org/dev/peps/pep-0466/>`_.

- name: "buffer() integer overflows"
  slug: buffer-integer-overflows
  cve: CVE-2014-7185
  bpo: 21831
  reported-by: Chris Foster (on the Python security list)
  affected-versions:
   # buffer() type was removed from Python 3
   - '2.0'
  fixed-in:
   - '2.7': 550b945fd66f1c6837a53fbf29dc8e524297b8c3
  description: |
    Integer overflow in ``bufferobject.c`` in Python before 2.7.8 allows
    context-dependent attackers to obtain sensitive information from process
    memory via a large size and offset in a ``buffer`` type.

- name: "os.makedirs() not thread-safe"
  slug: os-makedirs-not-thread-safe
  cve: CVE-2014-2667
  bpo: 21082
  affected-versions:
   # os.makedirs() exist_ok parameter added to Python 3.2
   - '3.2'
  fixed-in:
   - '3.2': ee5f1c13d1ea21c628068fdf142823177f5526c2
  description: |
    ``os.makedirs(exist_ok=True)`` is not thread-safe: umask is set temporary
    to ``0``, serious security problem.

    The fix removes the directory mode check from ``os.makedirs()``.

    The ``exist_ok`` parameter was added to Python 3.2.0 (commit
    5a22b651173f142a600625a036fcf36484ade237).

- name: "ssl.match_hostname() IDNA issue"
  slug: ssl-match_hostname-idna
  cve: CVE-2013-7440
  bpo: 17997
  links:
    - https://tools.ietf.org/html/rfc6125
  affected-versions:
   # ssl.match_hostname() was added to Python 3.2
   # The function was backported to 2.7.9 with the IDNA fix
   # (commit daeb925cc88cc8fed2030166ade641de28edb396).
   - '3.2'
  fixed-in:
   - '3.3': 72c98d3a761457a4f2b8054458b19f051dfb5886
  description: |
    ``ssl.match_hostname()``: sub string wildcard should not match IDNA prefix.

    Change behavior of ``ssl.match_hostname()`` to follow RFC 6125, for
    security reasons.  It now doesn't match multiple wildcards nor wildcards
    inside IDN fragments.
    Note that this function was only added to Python 2.7 in a backport to 2.7.9,
    and was added in its fixed form, so no releases of Python 2.7 have this
    vulnerability.

- name: "zipfile DoS using invalid file size"
  slug: zipfile-file-size-dos
  cve: CVE-2013-7338
  bpo: 20078
  affected-versions:
   # ZipExtFile._read2() was added to Python 3.3
   - '3.3'
  fixed-in:
   - '3.3': 5ce3f10aeea711bb912e948fa5d9f63736df1327
  description: |
    Python before 3.3.4 RC1 allows remote attackers to cause a denial of
    service (infinite loop and CPU consumption) via a file size value larger
    than the size of the zip file to the functions:

    * ``ZipExtFile.read()``
    * ``ZipExtFile.readlines()``
    * ``ZipFile.extract()``
    * ``ZipFile.extractall()``

    Reading malformed zipfiles no longer hangs with 100% CPU consumption.

    Python 2.7 is not affected.

- name: "Hash function not randomized properly"
  slug: hash-function-not-randomized-properly
  cve: CVE-2013-7040
  bpo: 14621
  fixed-in:
   - '3.4': 985ecdcfc29adfc36ce2339acf03f819ad414869
  description: |
    The hash function is not randomized properly.

    Python 3.4 now used SipHash (PEP 456).

    Python 3.3 and Python 2.7 are still affected.

- name: "pypirc created insecurely"
  slug: pypirc-created-insecurely
  cve: CVE-2011-4944
  bpo: 13512
  fixed-in:
   - '2.6': e5567ccc863cadb68f5e57a2760e021e0d3807cf
   - '3.3': d61926e6bef6c4d8105a2848362377dce91d7fc8
  description: |
    Python 2.6 through 3.2 creates ``~/.pypirc`` configuration file with
    world-readable permissions before changing them after data has been
    written, which introduces a race condition that allows local users to
    obtain a username and password by reading this file.

- name: "SimpleHTTPServer UTF-7"
  slug: simplehttpserver-utf-7
  cve: CVE-2011-4940
  bpo: 11442
  reported-by: email received on the Python security list
  fixed-in:
   - '2.5': 3853586e0caa0d5c4342ac8bd7e78cb5766fa8cc
  description: |
    The ``list_directory()`` function in ``Lib/SimpleHTTPServer.py`` in
    ``SimpleHTTPServer`` in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and
    2.7.x before 2.7.2 does not place a charset parameter in the Content-Type
    HTTP header, which makes it easier for remote attackers to conduct
    cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7
    encoding.

- name: "CGI directory traversal (is_cgi() function)"
  slug: cgi-directory-traversal-is_cgi
  cve: CVE-2011-1015
  bpo: 2254
  fixed-in:
   - '2.7': 923ba361d8f757f0656cfd216525aca4848e02aa
  description: |
    The ``is_cgi()`` method in ``CGIHTTPServer.py`` in the ``CGIHTTPServer``
    module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script
    source code via an HTTP GET request that lacks a ``/`` (slash) character at
    the beginning of the URI.

- name: "smtpd accept bug and race condition"
  slug: smtpd-accept-bug-and-race-condition
  cve:
   - CVE-2010-3492
   - CVE-2010-3493
  bpo: 6706
  fixed-in:
   - '2.7': 19e9fefc660d623ce7c31fb008cde1157ae12aba
   - '3.1': 5ea3d0f95b51009fa1c3409e7dd1c12006427ccc
   - '3.2': 977c707b425ee753d54f3e9010f07ec77ef61274
  description: |
    CVE-2010-3492: The ``asyncore`` module in Python before 3.2 does not properly handle
    unsuccessful calls to the accept function, and does not have accompanying
    documentation describing how daemon applications should handle unsuccessful
    calls to the accept function, which makes it easier for remote attackers to
    conduct denial of service attacks that terminate these applications via
    network connections.

    CVE-2010-3493: Multiple race conditions in ``smtpd.py`` in the ``smtpd`` module in Python 2.6,
    2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of
    service (daemon outage) by establishing and then immediately closing a TCP
    connection, leading to the accept function having an unexpected return
    value of None, an unexpected value of None for the address, or an
    ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function
    having an ENOTCONN error, a related issue to CVE-2010-3492.

- name: "audioop input validation"
  slug: audioop-input-validation
  cve: CVE-2010-2089
  bpo: 7673
  fixed-in:
   - '2.6': e9123efa21a16584758b5ce7da93d3966cf0cd81
   - '3.1': 8e42fb7ada3198e66d3f060c5c87c52465a86e36
   - '3.2': bc5c54bca24fdb1fcf7fa055831ec997a65f3ce8
  description: |
    The ``audioop`` module in Python 2.7 and 3.2 does not verify the relationships
    between size arguments and byte string lengths, which allows
    context-dependent attackers to cause a denial of service (memory corruption
    and application crash) via crafted arguments, as demonstrated by a call to
    ``audioop.reverse()`` with a one-byte string, a different vulnerability
    than CVE-2010-1634.

- name: "audioop integer overflows"
  slug: audioop-integer-overflows
  cve: CVE-2010-1634
  bpo: 8674
  fixed-in:
   - '2.6': 7ceb497ae6f554274399bd9916ea5a21de443208
   - '2.7': 11bb2cdc6aa8db142a87de281b83293d500847b2
   - '3.1': ee289e6cd5c009e641ee970cfc67996d8f871221
   - '3.2': 393b97a7b61583f3e0401f385da8b741ef1684d6
  description: |
    Multiple integer overflows in ``audioop.c`` in the ``audioop`` module in Python
    2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial
    of service (application crash) via a large fragment, as demonstrated by a
    call to audioop.lin2lin with a long string in the first argument, leading
    to a buffer overflow.

    NOTE: this vulnerability exists because of an incorrect fix for
    CVE-2008-3143.

- name: "rgbimg and imageop overflows"
  slug: rgbimg-imageop-overflows
  cve:
   - CVE-2007-4965
   - CVE-2009-4134
   - CVE-2010-1449
   - CVE-2010-1450
  bpo: 1179
  links:
    - http://seclists.org/fulldisclosure/2007/Sep/279
    - http://bugs.python.org/issue8678
    - https://bugzilla.redhat.com/show_bug.cgi?id=541698
  disclosure: "2007-09-16 (full-disclosure email)"
  reported-by: Slythers Bro (on the full-disclosure mailing list)
  # imageop module was removed in Python 3
  ignore-python3: true
  affected-versions:
   # rgbimg and imageop modules were removed in Python 3
   - '2.0'
  fixed-in:
   - '2.5': 4df1b6d478020ac51c84467f47e42083f53adbad
   - '2.6': 93ebfb154456daa841aa223bd296422787b3074c
  description: |
    Multiple integer overflows in the ``imageop`` module in Python 2.5.1 and
    earlier allow context-dependent attackers to cause a denial of service
    (application crash) and possibly obtain sensitive information (memory
    contents) via crafted arguments to (1) the ``tovideo()`` method, and
    unspecified other vectors related to (2) ``imageop.c``, (3)
    ``rbgimgmodule.c``, and other files, which trigger heap-based buffer
    overflows.

    Reported again by Marc Schoenefeld in the Red Hat
    bugzilla at 2009-11-26.

- name: "Multiple integer overflows (Google)"
  slug: multiple-integer-overflows-google
  cve: CVE-2008-3143
  bpo: 2620
  fixed-in:
   - '2.5': 83ac0144fa3041556aa4f3952ebd979e0189a19c
   - '2.6': 0470bab69783c13447cb634fa403ef1067fe56d1
   - '3.1': d492ad80c872d264ed46bec71e31a00f174ac819
  description: |
    Multiple integer overflows in Python before 2.5.2 might allow
    context-dependent attackers to have an unknown impact via vectors related
    to:

    * ``Include/pymem.h``
    * ``Modules/``:

      - ``_csv.c``
      - ``_struct.c``
      - ``arraymodule.c``
      - ``audioop.c``
      - ``binascii.c``
      - ``cPickle.c``
      - ``cStringIO.c``
      - ``datetimemodule.c``
      - ``md5.c``
      - ``rgbimgmodule.c``
      - ``stropmodule.c``

    * ``Modules/cjkcodecs/multibytecodec.c``
    * ``Objects/``:

      - ``bufferobject.c``
      - ``listobject.c``
      - ``obmalloc.c``

    * ``Parser/node.c``
    * ``Python/``:

      - ``asdl.c``
      - ``ast.c``
      - ``bltinmodule.c``
      - ``compile``

    as addressed by "checks for integer overflows, contributed by Google."

- name: "expandtab() integer overflow"
  slug: expandtab-integer-overflow
  cve: CVE-2008-5031
  links:
   - http://scary.beasts.org/security/CESA-2008-008.html
  disclosure: "2008-03-11 (commit date)"
  reported-by: Chris Evans
  fixed-in:
   - '2.5': 44a93e54f4b0f90634d16d53c437fabb6946ea9d
   - '2.6': 5bdff60617e6fc1d2e387a0b165cb23b82d7dae6
   - '3.0': dd15f6c315f20c1a9a540dd757cd63e27dbe9f3c
  description: |
    Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow
    context-dependent attackers to have an unknown impact via a large integer
    value in the tabsize argument to the expandtabs method, as implemented by:

    * the ``string_expandtabs()`` function in ``Objects/stringobject.c``
    * the ``unicode_expandtabs()`` function in ``Objects/unicodeobject.c``

    NOTE: this vulnerability reportedly exists because of an incomplete
    fix for CVE-2008-2315.

- name: "Multiple integer overflows (Apple)"
  slug: multiple-integer-overflows-apple
  cve:
   - CVE-2008-1679
   - CVE-2008-1721
   - CVE-2008-1887
   - CVE-2008-2315
   - CVE-2008-2316
   - CVE-2008-3142
   - CVE-2008-3144
   - CVE-2008-4864
  links:
   - https://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
  disclosure: "2008-07-31 (commit)"
  reported-by: Apple
  fixed-in:
   - '2.6': e7d8be80ba634fa15ece6f503c33592e0d333361
   - '2.7': 3ce5d9207e66d61d4b0502cf47ed2d2bcdd2212f
  description: |
    Security patches from Apple: prevent integer overflows when allocating
    memory.

    CVE-ID:

    * CVE-2008-1679 (``imageop``)
    * CVE-2008-1721 (``zlib``)
    * CVE-2008-1887 (``PyString_FromStringAndSize()``)
    * CVE-2008-2315
    * CVE-2008-2316 (``hashlib``)
    * CVE-2008-3142 (``unicode_resize()``, ``PyMem_RESIZE()``)
    * CVE-2008-3144 (``PyOS_vsnprintf()``)
    * CVE-2008-4864 (``imageop``)

- name: "Expat 2.2 (Expat bug #537)"
  slug: expat-2.2
  cve:
   - CVE-2016-0718
   - CVE-2016-4472
  # Bug number at bugs.python.org (bpo)
  bpo: 29591
  links:
   - https://sourceforge.net/p/expat/bugs/537/
   - https://bugs.python.org/issue30610
  reported-by: "2016-05-27 (expat bug #537 reported)"
  fixed-in:
   - '3.7': 23ec4b57e1359f9c539b8defc317542173ae087e
   - '3.6': 86b95370c45dedb8a56c9894372a43681de47a73
   - '3.5': 8c797ed8a0fea5e3162b9415f13e270d4d5d9549
   - '3.4': 71572bbe82aa0836c036d44d41c8269ba6a321be
   - '3.3': ab90986600ba7dea2aa41e5c1773791070725453
   - '2.7': 0e4571a68a7f48e8469ef05b04ba3463d3fd82c0
  description: |
    The Expat XML parser mishandles certain kinds of malformed input documents,
    resulting in buffer overflows during processing and error reporting. The
    overflows can manifest as a segmentation fault or as memory corruption
    during a parse operation. The bugs allow for a denial of service attack in
    many applications by an unauthenticated attacker, and could conceivably
    result in remote code execution.

- name: "Expat 2.2.1"
  slug: expat-2.2.1
  cve:
   - CVE-2017-9233
   - CVE-2016-9063
   - CVE-2016-0718
   - CVE-2012-0876
  bpo: 30694
  links:
    - https://libexpat.github.io/doc/cve-2017-9233/
    - https://github.com/libexpat/libexpat/blob/R_2_2_1/expat/Changes
  disclosure: "2017-06-17 (Expat 2.2.1 release)"
  fixed-in:
   - '3.7': 5ff7132313eb651107b179d20218dfe5d4e47f13
   - '3.6': ea1ab803ddc14ab02ffed50ecc5089897f259623
   - '3.5': 91d171be45942d37a973b0675521b5159a96be31
   - '3.4': 71572bbe82aa0836c036d44d41c8269ba6a321be
   - '3.3': ab90986600ba7dea2aa41e5c1773791070725453
   - '2.7': 2ada64d2a073f85f135461833952dbe8d656810d
  description: |
    Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security
    vulnerabilities including:

    * CVE-2017-9233 (External entity infinite loop DoS),
    * CVE-2016-9063 (Integer overflow, re-fix),
    * CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718)
    * CVE-2012-0876 (Counter hash flooding with SipHash).

    Note: the CVE-2016-5300 (Use os-specific entropy sources like getrandom)
    doesn’t impact Python, since Python already gets entropy from the OS to set
    the expat secret using ``XML_SetHashSalt()``.

- name: "Environment variables injection in subprocess on Windows"
  slug: env-var-injection-subprocess-windows
  bpo: 30730
  fixed-in:
   - '3.7': d174d24a5d37d1516b885dc7c82f71ecd5930700
   - '3.6': a9b16cff35811f88cdfeb4f50758140dfff36ebc
   - '3.5': a7c0264735f46afab13771be4218d8eab0d7dc91
   - '3.4': fe82c46327effc124ff166e1fa1e611579e1176b
   - '3.3': e46f1c19642ea1882f427d8246987ba49351a97d
   - '2.7': 9dda2caca8edc7ff1285f6b0d1c5279b51854b7d
  description: |
    On Windows, prevent passing invalid environment variables and command
    arguments to subprocess.Popen.

    It is possible to inject an environment variable in subprocess on Windows
    if a user data is passed to a subprocess via environment variable.

    Check for invalid environment (variable names containing '=') and command
    arguments (containing '\0').

- name: "Zlib 1.2.11"
  slug: zlib-1.2.11
  cve:
   - CVE-2016-9840
   - CVE-2016-9841
   - CVE-2016-9842
   - CVE-2016-9843
  bpo: 29169
  reported-at: "2017-01-02 (zlib 1.2.10 released)"
  fixed-in:
   - '2.7': 80b24a9354c60f6b800d462c941c6d4cde3cf783
   - '3.4': d0e61bded5256e775e470e2c0da22367a1a81970
   - '3.5': 34e7e2ecb1741850190e78f42875480693d3537b
   # Python 3.3 uses zlib 1.2.5 and is not going to be fixed:
   # https://github.com/python/cpython/pull/3108
  description: |
    These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used
    when building without a system zlib.

    The new release includes fixes for
    security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

    Note: Only Windows and macOS are affected by this issue. Linux packages use
    the system zlib.

- name: "Expat 2.2.3"
  slug: expat-2.2.3
  bpo: 30947
  fixed-in:
   - '2.7': ec4ab09b7c0b5070bdb27351f979cbecc4636245
   - '3.3': 297516ea509c72d8ebed3a9b3ce200f023aca0b7 # expat 2.2.1 to 2.2.4
   - '3.4': 86a713cb0c110b6798ca7f9e630fc511ee0a4028
   - '3.5': f2492bb6aae061aea47e21fc7e56b7ab9bfdf543
   - '3.6': 83e37e16f3065086d721d4e62a3788e01db3431c
   - '3.7': 93d0cb58b4da2a88c56f472c6c19491cc7a390df
  description: |
   Expat 2.2.2 was released with multiple security fixes:

   * #43: Protect against compilation without any source of high quality
     entropy enabled, e.g. with CMake build system
   * #60: Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide
     string resulted in failure to load advapi32.dll and degradation in quality
     of used entropy when compiled with _UNICODE for Windows; you can launch
     existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect
     the quality of entropy used during runtime
   * [MOX-006]: Fix non-NULL parser parameter validation in XML_Parse; resulted
     in NULL dereference, previously

   Expat 2.2.3 contains an additional security fix: #82: CVE-2017-11742 --
   Windows: Fix DLL hijacking vulnerability using Steve Holme's LoadLibrary
   wrapper for/of cURL

- name: "PyString_DecodeEscape integer overflow"
  slug: pystring_decodeescape-integer-overflow
  cve: CVE-2017-1000158
  bpo: 30657
  fixed-in:
   - '2.7': c3c9db89273fabc62ea1b48389d9a3000c1c03ae
   - '3.4': 6c004b40f9d51872d848981ef1a18bb08c2dfc42
   - '3.5': fd8614c5c5466a14a945db5b059c10c0fb8f76d9
  affected-versions:
   # <2.7 and <3.4 is likely impacted as well
   - '2.7'
   - '3.4'
   - '3.5'
  description: |
    Check & prevent integer overflow in PyString_DecodeEscape.

    You need to compile a 1 GiB Python file on 32-bit system for reproducing
    it. It is very unlikely that this can happen by accident, and it is hard to
    used it in security attack. If you can make the attacked program compiling
    a 1 GiB Python file, you perhaps have easier ways to make a harm.

- name: "Buffer overflow vulnerability in os.symlink on Windows"
  slug: buffer-overflow-os-symlink-windows
  cve: CVE-2018-1000117
  bpo: 33001
  links:
    - https://mail.python.org/mm3/archives/list/security-announce@python.org/thread/PVSURQ2YCNZODILA3QE7ZF3GCD25EVVT/
  reported-at: "2018-02-27 (email to the PSRT)"
  reported-by: "Alexey Izbyshev"
  affected-versions:
  # os.symlink() is not available on Windows in Python 2.7
   - "3.2"
  fixed-in:
    - '3.8': 6921e73e33edc3c61bc2d78ed558eaa22a89a564
    - '3.7': 96fdbacb7797a564249fd59ccf86ec153c4bb095
    - '3.6': baa45079466eda1f5636a6d13f3a60c2c00fdcd3
    - '3.4': 77c02cdce2d7b8360771be35b7676a4977e070c1
    - '3.5': f381cfe07d15d52f27de771a62a8167668f0dd51
  description: |
    On February 27th, 2018, the Python Security Response team was notified
    of a buffer overflow issue in the ``os.symlink()`` method on Windows. The
    issue affects all versions of Python between 3.2 and 3.6.4, including
    the 3.7 beta releases. It has been patched for the next releases of 3.4,
    3.5, 3.6 and 3.7.

    Scripts may be vulnerable if they use ``os.symlink()`` on Windows and an
    attacker is able to influence the location where links are created. As
    os.symlink requires additional privileges, exploits using this
    vulnerability are more likely to result in escalation of privilege.

    Besides applying the fix to CPython, scripts can also ensure that the
    length of each path argument is less than 260, and if the source is a
    relative path, that its combination with the destination is also shorter
    than 260 characters. That is::

        assert (len(src) < 260 and
                len(dest) < 260 and
                len(os.path.join(os.path.dirname(dest), src)) < 260)
        os.symlink(src, dest)

    Scripts that explicitly pass the target_is_directory argument as True
    are not vulnerable. Scripts on Python 3.5 that use bytes for paths are
    not vulnerable, because of a combination of stack layout and added
    parameter validation, but will still not behave correctly for long paths.

    This vulnerability has been registered as CVE-2018-1000117, and patched
    in the commits listed below. This patch prevents the buffer overflow,
    but does not raise any new errors or enable the use of long paths when
    creating symlinks.

    Many thanks to **Alexey Izbyshev** for the report, and helping us work
    through developing the patch.

- name: "difflib and poplib catastrophic backtracking"
  slug: difflib-poplib-backtracking
  cve:
   - CVE-2018-1060
   - CVE-2018-1061
  # Bug number at bugs.python.org (bpo)
  bpo: 32981
  fixed-in:
    - '3.8': 0e6c8ee2358a2e23117501826c008842acb835ac
    - '3.7': 0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143
    - '3.6': c9516754067d71fd7429a25ccfcb2141fc583523
    - '3.5': 937ac1fe069a4dc8471dff205f553d82e724015b
    - '3.4': 942cc04ae44825ea120e3a19a80c9b348b8194d0
    - '2.7': e052d40cea15f582b50947f7d906b39744dc62a2
  description: |
    Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
    These regexes formed potential DOS vectors (REDOS). They have been
    refactored.

    This resolves CVE-2018-1060 and CVE-2018-1061.

    Patch by **Jamie Davis**.

- name: "Python 2.7 readahead is not thread safe"
  slug: python-2.7-readahead-not-thread-safe
  cve: CVE-2018-1000030
  # Bug number at bugs.python.org (bpo)
  bpo: 31530
  links:
    - https://access.redhat.com/security/cve/cve-2018-1000030
  reported-by: "email to PSRT"
  fixed-in:
   - '2.7': dbf52e02f18dac6f5f0a64f78932f3dc6efc056b
  affected-versions:
   - "2.7"
  description: |
    Reading from the same file object in different threads does crash Python
    2.7. The readahead feature of Objects/fileobject.c is not thread safe.

    The PSRT decided that it's a regular bug and doesn't need to be categorized
    as a vulnerability, since the attacker has to be able to run arbitrary code
    in practice.

    The PSRT considers that no Python 2.7 application currently rely on reading
    from the same file object "at the same time" from different thread, since
    it currently crashs.

- name: "Limit imaplib.IMAP4_SSL.readline()"
  slug: limit-imap4_ssl-readline
  cve: CVE-2013-1752
  bpo: 16039
  fixed-in:
   - '2.7': 16d63202af35dadd652a5e3eae687ea709e95b11
  affected-versions:
   - "2.7"
  description: |
    The imaplib module doesn't limit the amount of read data in its call to
    ``IMAP4_SSL.readline()``. An erroneous or malicious IMAP server can trick
    the imaplib module to consume large amounts of memory.

- name: "_elementree C accelerator doesn't call XML_SetHashSalt()"
  slug: elementree-hash-salt
  cve: CVE-2018-14647
  bpo: 34623
  fixed-in:
   - '3.8': cb5778f00ce48631c7140f33ba242496aaf7102b
   - '3.7': 470a435f3b42c9be5fdb7f7b04f3df5663ba7305
   - '3.6': f7666e828cc3d5873136473ea36ba2013d624fa1
   - '3.5': d16eaf36795da48b930b80b20d3805bc27820712
   - '3.4': 41b48e71ac8a71f56694b548f118bd20ce203410
   - '2.7': 18b20bad75b4ff0486940fba4ec680e96e70f3a2
  links:
   - https://bugzilla.redhat.com/show_bug.cgi?id=1632095
  description: |
    The pyexpat module calls ``XML_SetHashSalt()`` to initialize the salt for
    hash randomization of the XML_Parser struct.

    The ``_elementree`` C accelerator doesn't call ``XML_SetHashSalt()``.

- name: "TALOS-2018-0758 SSL CRL distribution points Denial of Service"
  slug: ssl-crl-dps-dos
  cve: CVE-2019-5010
  bpo: 35746
  disclosure: "2019-01-15 (Python issue bpo-35746 reported)"
  reported-at: "2019-01-15"
  reported-by: "Colin Read and Nicolas Edet of Cisco."
  fixed-in:
   - '3.8': a37f52436f9aa4b9292878b72f3ff1480e2606c3
   - '3.7': be5de958e9052e322b0087c6dba81cdad0c3e031
   - '3.6': 216a4d83c3b72f4fdcd81b588dc3f42cc461739a
   - '3.5': efec7631edf3b9480dc3988c97ffef94df8800da
   - '3.4': 6c655ce34ae54adb8eef22b73108e22cc381cb8d
   - '2.7': 06b15424b0dcacb1c551b2a36e739fffa8d0c595
  links:
   - https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-pythonorg.html
  description: |
    An exploitable denial-of-service vulnerability exists in the X509 certificate
    parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate
    can cause a NULL pointer dereference, resulting in a denial of service. An attacker
    can initiate or accept TLS connections using crafted certificates to trigger this
    vulnerability.

    Christian Heimes added the following comment.

    The bug is less critical and harder to exploit than I initially thought.
    td;dr if you have cert validation enabled and only trust public root CAs
    from CA/B forum, then you are not affected.

    The bug is only exploitable under two conditions:

    1) The user has disabled TLS/SSL certificate validation *and* calls
       getpeercert() in 3rd party code.

    2) Or the user trusts a CA that does not properly validate end-entity certificates.

    When cert validation is enabled, the ssl module will refuse any untrusted
    certificate during the handshake. The SSLSocket.getpeercert() and
    SSLObject.getpeercert() methods raise an exception, when the handshake was
    not successful. Python 2.7 - 3.6 hostname verification code only calls
    getpeercert() after the cert chain was validated successfully. Python 3.7+
    no longer calls getpeercert() for hostname verification. Further more
    hostname verification can't be enabled when cert validation is disabled.

    For publicly trusted CAs governed by CA/B baseline requirements, CRL DPs
    must by valid URI general names with HTTP links. From CA/Browser Forum
    Baseline Requirements Version 1.6.2, December 10, 2018, section 7.1.2.3.
    Subscriber Certificate:

    b. cRLDistributionPoints

    This extension MAY be present. If present, it MUST NOT be marked critical,
    and it MUST contain the HTTP URL of the CA’s CRL service.

    Patch by **Christian Heimes**.

- name: "pickle.load denial of service"
  slug: pickle-load-dos
  cve: CVE-2018-20406
  bpo: 34656
  links:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1664511
  affected-versions:
   - "3.0"
  fixed-in:
   - '3.8': a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd
   - '3.7': ef4306b24c9034d6b37bb034e2ebe82e745d4b77
   - '3.6': 71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc
   - '3.5': ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c
   - '3.4': 4b42d575bf0fb01192b3ec54b7e224b238691527
  description: |
    A bug in ``pickle.load()`` function can cause memory exhaustion denial of
    service.

- name: "xml package does not obey ignore_environment"
  slug: xml-pakage-ignore-environment
  description: |
  bpo: 34791
  fixed-in:
   - '3.8': 223e501fb9c2b6ae21b96054e20c4c31d94a5d96
   - '3.7': c119d5948f941d2f528dda3f099e196bd6383000
   - '3.6': 5e808f92ea4eb238b17757526b99f97debf7dd57
   - '3.5': 7cd08cf62086a8a2d84fd825dfcd8bfe33bf1986
   - '3.4': 765d333512e9b58da4a4431595a0e81517ef0443
   - '2.7': 2546ac8eeb56fc146adea9a03158440a9271714e
  description: |
    On two occasions, the xml package uses environment variables to override
    parser / DOM implementations: ``xml.sax package`` and ``xml.dom.domreg``
    module. On both occasions, the code should not use env vars to override
    module names, when the interpreter is started with flags like ``-E``
    or ``-I``.

- name: "urlsplit does not handle NFKC normalization"
  slug: urlsplit-nfkc-normalization
  reported-at: "2019-02-16 (email to PSRT)"
  reported-by: "Jonathan Birch of Microsoft Corporation and Panayiotis Panayiotou"
  cve: CVE-2019-9636
  bpo: 36216
  fixed-in:
   - '3.8': 16e6f7dee7f02bb81aa6b385b982dcdda5b99286
   - '3.7': daad2c482c91de32d8305abbccc76a5de8b3a8be
   - '3.6': 23fc0416454c4ad5b9b23d520fbe6d89be3efc24
   - '3.5': c0d95113b070799679bcb9dc49d4960d82e8bb08
   - '2.7': e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
  description: |
    URLs encoded with Punycode/IDNA use NFKC normalization to decompose
    characters. This can result in some characters introducing new segments
    into a URL.

    See `Unicode® Technical Standard #46: Unicode IDNA Compatibility Processing
    <https://unicode.org/reports/tr46/>`_.

- name: "urlsplit does not handle NFKC normalization (second fix)"
  slug: urlsplit-nfkc-normalization2
  cve: CVE-2019-10160
  bpo: 36742
  reported-at: "2019-06-03 (email to PSRT)"
  reported-by: "Riccardo Schirone (Red Hat)"
  fixed-in:
   - '3.8': 8d0ef0b5edeae52960c7ed05ae8a12388324f87e
   - '3.7': 250b62acc59921d399f0db47db3b462cd6037e09
   - '3.6': fd1771dbdd28709716bd531580c40ae5ed814468
   - '3.5': 4655d576141ee56a69d2052431c636858fcb916a
   - '2.7': f61599b050c621386a3fc6bc480359e2d3bb93de
  description: |
    Follow up of the urllib NFKC normalization vulnerability: the fix ignored
    the user/password before ``@`` whereas it still allowed to exploit the
    vulnerability.

    The second fix no longer ignores the part before ``@``.

- name: "urllib module local_file:// scheme"
  slug: urllib-local-file-scheme
  cve: CVE-2019-9948
  bpo: 35907
  fixed-in:
   - '2.7': b15bde8058e821b383d81fcae68b335a752083ca
   - '3.8': 0c2b6a3943aa7b022e8eb4bfd9bffcddebf9a587
   - '3.7': 34bab215596671d0dec2066ae7d7450cd73f638b
   - '3.6': 4f06dae5d8d4400ba38d8502da620f07d4a5696e
   - '3.5': 4fe82a8eef7aed60de05bfca0f2c322730ea921e
  description: |
    urllib in Python 2.x through 2.7.16 supports the ``local_file:`` scheme,
    which makes it easier for remote attackers to bypass protection mechanisms
    that blacklist ``file:`` URIs, as demonstrated by triggering a
    ``urllib.urlopen('local_file:///etc/passwd')`` call.

- name: "HTTP Header Injection (follow-up of CVE-2016-5699)"
  slug: http-header-injection2
  cve:
   - CVE-2019-9740
   - CVE-2019-9947
  bpo: 30458
  fixed-in:
   - '3.8': c4e671eec20dfcb29b18596a89ef075f826c9f96
   - '3.7': 7e200e0763f5b71c199aaf98bd5588f291585619
   - '3.6': c50d437e942d4c4c45c8cd76329b05340c02eb31
   - '3.5': afe3a4975cf93c97e5d6eb8800e48f368011d37a
   - '2.7': bb8071a4cae5ab3fe321481dd3d73662ffb26052
  description: |
    HTTP Header Injection, follow-up of CVE-2016-5699.

    The fix disallows control chars in HTTP URLs.

    This change broke applications sending invalid HTTP requests on purpose:
    `bpo-36274 <https://bugs.python.org/issue36274>`_ added private methods
    to the ``http.client.HTTPConnection`` class (``_encode_request()`` and
    ``_validate_path()``) which can be overriden in a subclass for that.

    Note: Python 2 ``urllib.urlopen(url)`` always quotes the URL and so is not
    vulnerable to HTTP Header Injection.

- name: "Email folding function Denial-of-Service"
  slug: email-fold-dos
  bpo: 33529
  fixed-in:
   - '3.8': c1f5667be1e3ec5871560c677402c1252c6018a6
   - '3.7': 2fef5b01e36a17e36fd7e65c4b51f5ede8880dda
   - '3.6': 516a6a254814d2bc6a90290dfc44d77fdfb4050b
  affected-versions:
   - "3.6"
   - "3.7"
   - "3.8"
  description: |
    The email folding function enters an infinite loop if a header is longer
    than the policy maximum line length and contains many non-ASCII characters.

    Regression introduced in Python 3.6.4.

- name: "http.cookiejar: Incorrect validation of path"
  slug: cookie-path-check
  bpo: 35647
  fixed-in:
   - '3.8': 0e1f1f01058bd4a9b98cfe443214adecc019a38c
   - '3.7': 97c7d78fda49e03fc773c171ce0c736d02bb73f5
   - '3.6': 5565b1db6f37f244890369e0d68a3e906aca28b9
   - '3.5': e260f092cd0d8975c777e73ca6fb549d59b5d452
   - '3.4': 382981b25092b5e9285f1e4894142af1e8f2ca86
   - '2.7': ee15aa2b8501718cb77e339381f72409a416f801
  description: |
    Cookies of ``example.com`` with ``path=/any`` were sent to
    ``example.com/anybad/`` while using a cookiejar with
    `http.cookiejar.DefaultCookiePolicy` policy. The code did not check for
    the first non-matching character in prefix match to be a slash.

- name: "ssl.match_hostname() ignores extra string after whitespace in IPv4 address"
  slug: ssl-match_hostname-ipv4-trailing
  bpo: 37463
  reported-at: "2019-06-07 (email to PSRT)"
  reported-by: "bug found by Dominik Czarnota, reported by Paul Kehrer"
  affected-versions:
   - "3.7"
   - "3.8"
   - "3.9"
  fixed-in:
   - '3.9': 477b1b25768945621d466a8b3f0739297a842439
   - '3.8': 3cba3d3c55f230a59174a0dfcafb1d4685269e60
   - '3.7': 070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557
   # 3.7 also got: 024ea2170b7c1652a62cc7458e736c63d4970eb1
  description: |
    ``inet_aton()`` accepts trailing characters after a valid IP.  Because of
    that, Python ``ssl.match_hostname('1.1.1.1 ; this should not work but does')``
    succeeded when it should fail.

    The issue was introduced in `bpo-32819
    <https://bugs.python.org/issue32819>`_ by `commit aef1283b
    <https://github.com/python/cpython/commit/aef1283ba428e33397d87cee3c54a5110861552d>`_.
    Only Python 3.7 and newer are affected. It's a potential security bug
    although **low severity**. For one Python 3.7 and newer **no longer use**
    ``ssl.match_hostname()`` to verify hostnames and IP addresses of a
    certificate: **matching is performed by OpenSSL**.

    It should not possible to register a x509 certificate with a hostname with
    spaces.

    The glibc function ``inet_aton()`` accepts input as valid if said input is
    a IPv4 address followed by zero or more characters that are valid
    white-space as decided by ``isspace()``, with the rest of the string after
    the first white-space being ignored. As ``'\r'`` is a valid white-space
    character the rest of the string is ignored (including the ``'\r'``). See
    `glibc bug 24111: Deprecate inet_addr, inet_aton
    <https://sourceware.org/bugzilla/show_bug.cgi?id=24111>`_.

- name: "email.utils.parseaddr mistakenly parse an email"
  slug: email-parseaddr-domain
  cve: CVE-2019-16056
  bpo: 34155
  links:
    - https://medium.com/@fs0c131y/tchap-the-super-not-secure-app-of-the-french-government-84b31517d144
    - https://twitter.com/fs0c131y/status/1119143946687434753
  fixed-in:
   - '3.9': 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9
   - '3.8': 217077440a6938a0b428f67cfef6e053c4f8673c
   - '3.7': c48d606adcef395e59fd555496c42203b01dd3e8
   - '3.6': 13a19139b5e76175bc95294d54afc9425e4f36c9
   - '3.5': 063eba280a11d3c9a5dd9ee5abe4de640907951b
   - '2.7': 4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e
  description: |
    email.utils.parseaddr wrongly parse the From field of an email.

    ``email.utils.parseaddr('John Doe jdoe@example.com <other@example.net>')``
    returns ``('', 'John Doe jdoe@example.com')``, whereas it should return
    ``('John Doe jdoe@example.com', 'other@example.net')``.

- name: "Reflected XSS in DocXMLRPCServer"
  cve: CVE-2019-16935
  slug: docxmlrpcserver-xss
  bpo: 38243
  redhat-impact: "Moderate"
  fixed-in:
   - '3.9': e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa
   - '3.8': 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28
   - '3.7': 39a0c7555530e31c6941a78da19b6a5b61170687
   - '3.6': 1698cacfb924d1df452e78d11a4bf81ae7777389
   - '3.5': 3fe1b19265b55c290fc956e9aafcf661803782de
   - '2.7': 8eb64155ff26823542ccf0225b3d57b6ae36ea89
  description: |
    DocXMLRPCServer does not escape the server title.

    The attacker has to find a way to control the server title.

- name: "Regular Expression Denial of Service in http.cookiejar"
  slug: cookiejar-redos
  bpo: 38804
  fixed-in:
   - '3.9': 1b779bfb8593739b11cbb988ef82a883ec9d077e
   - '3.8': a1e1be4c4969c7c20c8c958e5ab5279ae6a66a16
   - '3.7': cb6085138a845f8324adc011b65754acc2086cc0
   - '3.6': 0716056c49e9505041e30386dad9b2e788f67aaf
   - '3.5': 55a6a16a46239a71b635584e532feb8b17ae7fdf
   - '2.7': e6499033032d5b647e43a3b49da0c1c64b151743
  links:
   - https://access.redhat.com/security/cve/CVE-2019-16935
  description: |
    The regex ``http.cookiejar.LOOSE_HTTP_DATE_RE`` is vulnerable to regular
    expression denial of service ("REDoS"). ``LOOSE_HTTP_DATE_RE.match()`` is
    called when using ``http.cookiejar.CookieJar`` to parse ``Set-Cookie``
    headers returned by a HTTP server. Processing a response from a malicious
    HTTP server can lead to extreme CPU usage and execution will be blocked
    for a long time.

- name: "CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7"
  slug: unsafe-dll-load-windows-7
  cve: CVE-2020-8315
  bpo: 39401
  affected-versions:
   # The issue was added in 3.6 when Steve Dower added support for installing
   # Python into a long path name on up-to-date OS, which required dynamically
   # loading an OS function. That dynamic load was the problem.
   - '3.6'
   - '3.7'
   - '3.8'
   - '3.9'
  fixed-in:
   - '3.9': 6a65eba44bfd82ccc8bed4b5c6dd6637549955d5
   - '3.8': ad4a20b87d79a619ffbdea3f26848780899494e5
   - '3.7': 561c59777c8426fde0ef48b57cf02eddaeb2a5b8
   - '3.6': 51332c467ed2e07a191f903d554d0c54248e4d88
  description: |
    At Python startup, ``api-ms-win-core-path-l1-1-0.dll`` is loaded with
    LoadLibraryW() without ``LOAD_LIBRARY_SEARCH_xxx`` flags.

    Python 3.5 and older are not affected.

- name: "urllib basic auth regex denial of service"
  slug: urllib-basic-auth-regex
  cve: CVE-2020-8492
  bpo: 38826
  links:
   - https://bugs.python.org/issue39503
  reported-at: "2019-11-17 (bpo-38826)"
  reported-by: "Ben Caller and Matt Schwager"
  fixed-in:
   - '3.9': 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4
   - '3.8': ea9e240aa02372440be8024acb110371f69c9d41
   - '3.7': b57a73694e26e8b2391731b5ee0b1be59437388e
   - '3.6': 69cdeeb93e0830004a495ed854022425b93b3f3e
   - '3.5': 37fe316479e0b6906a74b0c0a5e495c55037fdfd
  description: |
    The AbstractBasicAuthHandler class of the urllib.request module uses an
    inefficient regular expression (catastrophic backtracking) which can be
    exploited by an attacker to cause a denial of service.

    See also https://bugs.python.org/issue43075

- name: "CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()"
  slug: urlopen-host-http-header-injection
  cve: CVE-2019-18348
  bpo: 38576
  fixed-in:
   - '3.9': 9165addc22d05e776a54319a8531ebd0b2fe01ef
   - '3.8': ff69c9d12c1b06af58e5eae5db4630cedd94740e
   - '3.7': 34f85af3229f86c004a954c3f261ceea1f5e9f95
   - '3.6': 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba
   - '3.5': 09d8172837b6985c4ad90ee025f6b5a554a9f0ac
   - '2.7': e176e0c105786e9f476758eb5438c57223b65e7f
  description: |
    http.client allows to pass control characters like CRLF newlines which can
    be abused to inject HTTP headers.

- name: "Email header injection in Address objects"
  slug: email-address-header-injection
  bpo: 39073
  fixed-in:
   - '3.9': 614f17211c5fc0e5b828be1d3320661d1038fe8f
   - '3.8': 75635c6095bcfbb9fccc239115d3d03ae20a307f
   - '3.7': a93bf82980d7c02217a088bafa193f32a4d13abb
   - '3.6': 7df32f844efed33ca781a016017eab7050263b90
   - '3.5': f91a0b6df14d6c5133fe3d5889fad7d84fc0c046
  description: |
    It is possible to inject email headers using CR or LF character.

    The fix disallows CR and LF characters in ``email.headerregistry.Address``
    arguments to guard against header injection attacks.

- name: "Remove newline characters from uu encoding methods"
  slug: uu-encoding-newline
  bpo: 38945
  reported-at: "2019-11-28 (PSRT list)"
  reported-by: "Matthew Rollings"
  fixed-in:
   - '3.9': a62ad4730c9b575f140f24074656c0257c86a09a
   - '3.8': 8859fc629474ab1ca7eb2e67aec538097c327e58
   - '3.7': 87f2d261ee1c63ed39517355833d087c5a78b4bf
   - '3.6': 30afc91f5e70cf4748ffac77a419ba69ebca6f6a
   - '3.5': 8835f465fa94f114dcf865429c0410821d365dae
   - '2.7': a016d4e32cc9faa48105d00db275439c3dc93559
  description: |
    Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that
    contain a newline character will overflow data into the UU content section.
    This can potentially be used to inject replace or corrupt data content in a
    file during the decode process.

    The fix removes newline characters from filenames.

- name: "Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path"
  slug: pysetpath-python-dll-path
  # CVE can be a single string or a list
  cve: CVE-2020-15523
  # Bug number at bugs.python.org (bpo)
  bpo: 29778
  reported-at: "2020-06-24 (email to PSRT)"
  reported-by: "Erdenebat (Eric) Gantumur"
  fixed-in:
   - '3.10': dcbaa1b49cd9062fb9ba2b9d49555ac6cd8c60b5
   - '3.9': 4981fe36c7477303de830e8dca929a02caaaffe4
   - '3.8': aa7f7756149a10c64d01f583b71e91814db886ab
   - '3.7': 110dd153662a13b8ae1bb06348e5b1f118ab26d7
   - '3.6': 46cbf6148a46883110883488d3e9febbe46ba861
   - '3.5': f205f1000a2d7f8b044caf281041b3705f293480
  description: |
    CVE-2020-15523 is an invalid search path in Python 3.6 and later on
    Windows. It occurs during Py_Initialize() when the runtime attempts to
    pre-load python3.dll. If Py_SetPath() has been called, the expected
    location is not set, and locations elsewhere on the user's system will be
    searched.

    This issue is not triggered when running python.exe. It only applies when
    CPython has been embedded in another application.

    * Issue: https://bugs.python.org/issue29778
    * Patch: https://github.com/python/cpython/pull/21297

    The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only),
    3.6.12 (source only).

    Other than applying the patch, applications may mitigate the vulnerability
    by explicitly calling LoadLibrary() on their copy of python3.dll before
    calling Py_Initialize(). Even with the patch applied, applications should
    include a copy of python3.dll alongside their main Python DLL.

    Thanks to Eric Gantumur for detecting and reporting the issue to the Python
    Security Response Team.

    The https://bugs.python.org/issue41304 issue fixed a regression in this
    vulnerability fix.

    The original discovery credit goes to Eran Shimony and Ido Hoorvitch from
    CyberArk.

- name: "[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface"
  slug: ipaddress-hash-collisions
  cve: CVE-2020-14422
  bpo: 41004
  fixed-in:
   - '3.10': b30ee26e366bf509b7538d79bfec6c6d38d53f28
   - '3.8': dc8ce8ead182de46584cc1ed8a8c51d48240cbd5
   - '3.9': 9a646aa82dfa62d70ca2a99ada901ee6cf9f82bd
   - '3.7': b98e7790c77a4378ec4b1c71b84138cb930b69b7
   - '3.6': cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9
   - '3.5': 11d258ceafdf60ab3840f9a5700f2d0ad3e2e2d1
  description: |
    In the ipaddress library there exists two classes IPv4Interface, and
    IPv6Interface. These classes' hash functions will always return 32 and 64
    respectively. If IPv4Interface or IPv6Interface objects then are put in a
    dictionary, on for example a server storing IPs, this will cause hash
    collisions, which in turn can lead to DOS.

    Resolve hash collisions for IPv4Interface and IPv6Interface. The __hash__()
    methods of classes IPv4Interface and IPv6Interface had issue of generating
    constant hash values of 32 and 128 respectively causing hash collisions.
    The fix uses the hash() function to generate hash values for the objects
    instead of XOR operation.

- name: "Infinite loop in tarfile module while opening a crafted file"
  slug: tarfile-pax-dos
  cve: CVE-2019-20907
  bpo: 39017
  fixed-in:
   - '3.5': cac9ca8ed99bd98f4c0dcd1913a146192bf5ee84
   - '3.6': 47a2955589bdb1a114d271496ff803ad73f954b8
   - '3.7': 79c6b602efc9a906c8496f3d5f4d54c54b48fa06
   - '3.8': c55479556db015f48fc8bbca17f64d3e65598559
   - '3.9': f3232294ee695492f43d424cc6969d018d49861d
   - '3.10': 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4
  description: |
     Infinite loop in tarfile module while opening a crafted TAR archive in
     the PAX format with a length of zero.

     Avoid infinite loop when reading specially crafted TAR files using the
     tarfile module (CVE-2019-20907).

- name: "http.client: HTTP Header Injection in the HTTP method"
  slug: http-header-injection-method
  cve: CVE-2020-26116
  bpo: 39603
  fixed-in:
   - '3.5': 524b8de630036a29ca340bc2ae6fd6dc7dda8f40
   - '3.6': f02de961b9f19a5db0ead56305fe0057a78787ae
   - '3.7': ca75fec1ed358f7324272608ca952b2d8226d11a
   - '3.8': 668d321476d974c4f51476b33aaca870272523bf
   - '3.9': 27b811057ff5e93b68798e278c88358123efdc71
   - '3.10': 8ca8a2e8fb068863c1138f07e3098478ef8be12e
  description: |
    It is possible to inject HTTP headers via the HTTP method which doesn't
    reject newline characters.

- name: "CJK codecs tests call eval() on content retrieved via HTTP"
  slug: cjk-codec-download-eval
  cve: CVE-2020-27619
  bpo: 41944
  reported-at: "2020-10-05 (email sent to the PSRT list)"
  reported-by: "Florian Bruhin"
  fixed-in:
   - '3.10': 2ef5caa58febc8968e670e39e3d37cf8eef3cab8
   - '3.9': b664a1df4ee71d3760ab937653b10997081b1794
   - '3.8': 6c6c256df3636ff6f6136820afaefa5a10a3ac33
   - '3.7': 43e523103886af66d6c27cd72431b5d9d14cd2a9
   - '3.6': e912e945f2960029d039d3390ea08835ad39374b
  links:
    - https://access.redhat.com/security/cve/CVE-2020-27619
  description: |
    By default, the tests are not run with network resources enabled and so the
    Python test suite is safe.

    But if the Python test suite is run explicitly with the "network" resource
    enabled (``-u network`` or ``-u all`` command line option), the CJK codecs
    tests of the Python test suite run ``eval()`` on content received via HTTP
    from ``pythontest.net``.

    If an attacker can compromise the ``pythontest.net`` server, they gain
    arbitrary code execution on all buildbots.

    If an attacker has control over the network connection of a machine running
    the Python test suite, they gain arbitrary code execution there.

    ``make testall``, ``make testuniversal`` and ``make buildbottest`` commands
    are impacted (pass ``-u all`` option to the test suite).

    The CI of the Python project is impacted (buildbot, Travis CI,
    GitHub Action, Azure Pipelines).

    With the fix, content is still retrieved via HTTP, but the unsafe eval()
    function is no longer used.

- name: "ctypes: Buffer overflow in PyCArg_repr"
  slug: ctypes-buffer-overflow-pycarg_repr
  bpo: 42938
  cve: CVE-2021-3177
  links:
   - https://access.redhat.com/security/cve/cve-2021-3177
  fixed-in:
   - '3.6': 34df10a9a16b38d54421eeeaf73ec89828563be7
   - '3.7': d9b8f138b7df3b455b54653ca59f491b4840d6fa
   - '3.8': ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f
   - '3.9': c347cbe694743cee120457aa6626712f7799a932
   - '3.10': 916610ef90a0d0761f08747f7b0905541f0977c7
  description: |
    There's a buffer overflow in the ctypes ``PyCArg_repr()`` function.

- name: "urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator"
  slug: urllib-query-string-semicolon-separator
  cve: CVE-2021-23336
  bpo: 42967
  links:
   - https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
   - https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933
  fixed-in:
   - '3.10': fcbe0cb04d35189401c0c880ebfb4311e952d776
   - '3.9': c9f07813ab8e664d8c34413c4fc2d4f86c061a92
   - '3.8': e3110c3cfbb7daa690d54d0eff6c264c870a71bf
   - '3.7': d0d4d30882fe3ab9b1badbecf5d15d94326fd13e
   - '3.6': 5c17dfc5d70ce88be99bc5769b91ce79d7a90d61
  reported-at: "2020-10-19 (email sent to the PSRT list)"
  reported-by: "Adam Goldschmidt (Snyk)"
  description: |
    The urlparse module treats semicolon as a separator, whereas most proxies
    today only take ampersands as separators.

    When the attacker can separate query parameters using a semicolon ``;``,
    they can cause a difference in the interpretation of the request between
    the proxy (running with default configuration) and the server. This can
    result in malicious requests being cached as completely safe ones, as the
    proxy would usually not see the semicolon as a separator, and therefore
    would not include it in a cache key of an unkeyed parameter - such as
    `utm_*` parameters, which are usually unkeyed.

    The fix is to only use ampersands ``&`` as separators, and add a
    *separator* parameter to chose the separator characters.

- name: "Information disclosure via pydoc getfile"
  slug: pydoc-getfile
  cve: CVE-2021-3426
  bpo: 42988
  reported-at: "2021-01-19"
  reported-by: "David Schwörer (on the Fedora bugzilla)"
  links:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1917807
  fixed-in:
   - '3.10': 9b999479c0022edfc9835a8a1f06e046f3881048
   - '3.9': ed753d94856213ae9fc028195f670e66a24e2334
   - '3.8': 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7
   - '3.7': 7c2284f97d140c4e4a85382bfb3a42440be2464d
   - '3.6': 5b1e50256b6532667b6d31debc350f6c7d3f30aa
  description: |
    Running "pydoc -p" allows other local users to extract arbitrary files.

    The "/getfile?key=path" URL allows to read arbitrary file on the
    filesystem.

- name: "ftplib should not use the host from the PASV response"
  slug: ftplib-pasv
  bpo: 43285
  links:
    - "curl vulnerability: `CVE-2020-8284: trusting FTP PASV responses <https://hackerone.com/reports/1040166>`_."
  fixed-in:
   - '3.10': 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
   - '3.9': 7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335
   - '3.8': 664d1d16274b47eea6ec92572e1ebf3939a6fa0c
   - '3.7': 79373951b3eab585d42e0f0ab83718cbe1d0ee33
   - '3.6': 4134f154ae2f621f25c5d698cc0f1748035a1b88
  description: |
    The IPv4 address value returned from the server in response to the PASV
    command should not be trusted. This prevents a malicious FTP server from
    using the response to probe IPv4 address and port combinations on the
    client network.

    Instead of using the returned address, we use the IP address we're already
    connected to. This is the strategy other ftp clients adopted, and matches
    the only strategy available for the modern IPv6 EPSV command where the
    server response must return a port number and nothing else.

- name: "ipaddress leading zeros in IPv4 address"
  slug: ipaddress-ipv4-leading-zeros
  cve: CVE-2021-29921
  links:
    - https://sick.codes/sick-2021-014
  reported-at: "2021-03-30"
  reported-by: "George-Cristian Bîrzan, Felipe Rodrigues (emails to the PSRT list)"
  disclosure: "2021-03-30 (comment on bpo-36384)"
  affected-versions:
   - '3.8'
   - '3.9'
   - '3.10'
  fixed-in:
   - '3.10': 60ce8f0be6354ad565393ab449d8de5d713f35bc
   - '3.9': 5374fbc31446364bf5f12e5ab88c5493c35eaf04
   - '3.8': 03dd89d62413c4a92831ed1b36e2ae8983bcb2d4
  description: |
    The ipaddress module accepts leading zeros in IPv4 addresses.

    Python 3.8 as modified in `bpo-36384 <https://bugs.python.org/issue36384>`_
    to accept leading zeros. The vulnerability was made public `in a comment
    of the issue <https://bugs.python.org/issue36384#msg389826>`_.

    Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older
    are not affected.

    Vulnerability discovered and reported the same day by two persons:
    George-Cristian Bîrzan and Felipe Rodrigues.

- name: "CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0"
  slug: expat-billion-laughs
  cve: CVE-2013-0340
  bpo: 44394
  links:
    - https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
  fixed-in:
   - '3.11': 3fc5d84046ddbd66abac5b598956ea34605a4e5d
   - '3.10': 270678564c16452614a8acd93763bdf64fb4d286
   - '3.9': 007221a43e566db08c0c5c00756d80dfd9dccafe
   - '3.8': c9c2a0bc9820f93f1020f3498f6893a3544c9b76
   - '3.7': 79101b890ee021a901a8b6837a3a320d57adb725
   - '3.6': 910886a6448e4bf1edf49eeace4aa240b6403772
  description: |
    On Windows and macOS, Python uses a vendored copy of libexpat which is
    vulnerable to the XML "Billion Laughs" expansion denial of service attack.

    Updating libexpat copy in Python to libexpat 2.4.0 or newer fix the
    vulnerability.

- name: "CVE-2021-3733: ReDoS in urllib.request"
  slug: urllib-basic-auth-regex2
  cve: CVE-2021-3733
  bpo: 43075
  links:
   - https://access.redhat.com/security/cve/cve-2021-3733
  fixed-in:
   - '3.10': 7215d1ae25525c92b026166f9d5cac85fb1defe1
   - '3.8': e7654b6046090914a8323931ed759a94a5f85d60
   - '3.9': a21d4fbd549ec9685068a113660553d7f80d9b09
   - '3.7': ada14995870abddc277addf57dd690a2af04c2da
   - '3.6': 3fbe96123aeb66664fa547a8f6022efa2dc8788f
  description: |
    The regular expression used by the AbstractBasicAuthHandler class of the
    urllib module is inefficient and can be abused by an attacker with a
    maliciuous HTTP server to cause a denial of service.

- name: "CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response"
  slug: urllib-100-continue-loop
  cve: CVE-2021-3737
  bpo: 44022
  links:
    - https://access.redhat.com/security/cve/CVE-2021-3737
    - https://bugzilla.redhat.com/show_bug.cgi?id=1995162
  fixed-in:
   - '3.11': 47895e31b6f626bc6ce47d175fe9d43c1098909d
   - '3.10': 60ba0b68470a584103e28958d91e93a6db37ec92
   - '3.9': ea9327036680acc92d9f89eaf6f6a54d2f8d78d9
   - '3.8': f396864ddfe914531b5856d7bf852808ebfc01ae
   - '3.6': f68d2d69f1da56c2aea1293ecf93ab69a6010ad7
   - '3.7': 078b146f062d212919d0ba25e34e658a8234aa63
  description: |
    If a client request a HTTP/HTTPS/FTP service which is controlled by
    attacker, attacker can make this client hang forever, even if the client
    has set a *timeout* argument.

- name: "urllib.parse should sanitize urls containing ASCII newline and tabs."
  slug: urllib_parse_newline_tabs
  cve: CVE-2022-0391
  reported-at: "2021-03-16 (email sent to the PSRT list)"
  reported-by: "Mike Lissner"
  bpo: 43882
  links:
    - https://bugzilla.redhat.com/show_bug.cgi?id=2047376
  fixed-in:
   - '3.10': 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
   - '3.9': 491fde0161d5e527eeff8586dd3972d7d3a631a7
   - '3.8': 515a7bc4e13645d0945b46a8e1d9102b918cd407
   - '3.7': f4dac7ec55477a6c5d965e594e74bd6bda786903
   - '3.6': 6c472d3a1d334d4eeb4a25eba7bf3b01611bf667
  description: |
    A security issue was reported by Mike Lissner wherein an attacker was able
    to use ``\r\n`` in the url path, the urlparse method didn't sanitize and
    allowed those characters be present in the request::

        >>> from urllib.parse import urlsplit
        >>> urlsplit("java\nscript:alert('bad')")
        SplitResult(scheme='', netloc='', path="java\nscript:alert('bad')", query='', fragment='')

    Firefox and other browsers ignore newlines in the scheme. From the
    browser console::

        >> new URL("java\nscript:alert(bad)")
        << URL { href: "javascript:alert(bad)", origin: "null", protocol:
        "javascript:", username: "", password: "", host: "", hostname: "", port: "", pathname: "alert(bad)", search: ""

    Mozilla Developers informed about the controlling specification for URLs is
    in fact defined by the "URL Spec" from WHATWG which updates RFC 3986 and
    specifies that tabs and newlines should be stripped from the scheme.

    See: https://url.spec.whatwg.org/#concept-basic-url-parser

    That link defines an automaton for URL parsing. From that link, steps 2 and
    3 of scheme parsing read:

    If input contains any ASCII tab or newline, validation error.
    3. Remove all ASCII tab or newline from input.

    urlparse module behavior should be updated, and an ASCII tab or newline
    should be removed from the url (sanitized) before it is sent to the
    request, as WHATWG spec.

    More commits:

    * `3.11 <https://github.com/python/cpython/commit/985ac016373403e8ad41f8d563c4355ffa8d49ff>`__
    * `3.10 <https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705>`__
    * `3.9 <https://github.com/python/cpython/commit/8a595744e696a0fb92dccc5d4e45da41571270a1>`__

    Doc changes:

    * `3.10 <https://github.com/python/cpython/commit/f14015adf52014c2345522fe32d43f15f001c986>`__
    * `3.9 <https://github.com/python/cpython/commit/0593ae84af9e0e8332644e7ed13d7fd8306c4e1a>`__
    * `3.8 <https://github.com/python/cpython/commit/634da2de88af06eb8c6ebdb90d8c00005847063d>`__
    * `3.7 <https://github.com/python/cpython/commit/c723d5191110f99849f7b0944820f6c3cd5f7747>`__
    * `3.6 <https://github.com/python/cpython/commit/6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5>`__

- name: "Windows: vulnerable bzip2 1.0.6"
  slug: update-bzip2-1-0-6
  cve:
    - CVE-2016-3189
    - CVE-2019-12900
  bpo: 44549
  links:
    - https://access.redhat.com/security/cve/cve-2016-3189
    - https://access.redhat.com/security/cve/cve-2019-12900
  fixed-in:
    - '3.10': 58d576a43cb1800dd68f06a429d7d41f746a8c01
    - '3.9':  e1639f361ee0dfbf08bb8538839d3d557c1a995c
    - '3.8':  6649519e67841b1aa12672f1d9b5cb24494f6196
    - '3.7':  4a3c610cd635f14747cf02c77908e80620aae6ea
  description: |
    bzip2 is a dependency of CPython, and its 1.0.6 version
    has the following two vulnerabilities.

    CVE-2016-3189:
    A use-after-free flaw was found in bzip2recover,
    leading to a null pointer dereference, or a write to a closed file
    descriptor. An attacker could use this flaw by sending a specially
    crafted bzip2 file to recover and force the program to crash.

    CVE-2019-12900:
    BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
    write when there are many selectors.

    These vulnerabilities are fixed by updating bzip2 to 1.0.8 in Windows builds.

    On Linux and macOS, you can fix them by specifying the dynamically link
    version of bzip2.

- name: "Prevent DoS by large str-int conversions"
  slug: large-int-str-dos
  cve: CVE-2020-10735
  gh: 95778
  links:
    - "`pydantic potential DOS when loading malicious JSON <https://github.com/pydantic/pydantic/issues/1477>`_ by Samuel Colvin (May 5, 2020)"
    - "`Red Hat: CVE-2020-10735 <https://access.redhat.com/security/cve/CVE-2020-10735>`_"
    - "LWN: `A Python security fix breaks (some) bignums <https://lwn.net/Articles/907572/>`_ (September 14, 2022)"
    - "`Python releases 3.10.7, 3.9.14, 3.8.14, and 3.7.14 are now available <https://pythoninsider.blogspot.com/2022/09/python-releases-3107-3914-3814-and-3714.html>`_ (September 7, 2022)"
  reported-at: "2020-05-05 (PSRT email)"
  reported-by: "Larry Yuan"
  fixed-in:
   - '3.7': 15ec1afd4fcd2da1e2d2b256c562fb42d8d886a2
   - '3.8': b5e331fdb38684808ffc540d53e8595bdc408b89
   - '3.9': cec1e9dfd769bd3a16142d0fdd1a36f19c77ed15
   - '3.10': 8f0fa4bd10aba723aff988720cd26b93be99bc12
   - '3.11': f8b71da9aac6ea74808dcdd0cc266e705431356b
   - '3.12': 511ca9452033ef95bc7d7fc404b8161068226002
  description: |
    A Denial Of Service (DoS) issue was identified in CPython because we use
    binary bignum's for our int implementation. A huge integer will always
    consume a near-quadratic amount of CPU time in conversion to or from a base
    10 (decimal) string with a large number of digits. No efficient algorithm
    exists to do otherwise.

    It is quite common for Python code implementing network protocols and data
    serialization to do int(untrusted_string_or_bytes_value) on input to get a
    numeric value, without having limited the input length or to do
    ``log("processing thing id %s", unknowingly_huge_integer)`` or any similar
    concept to convert an int to a string without first checking its magnitude.
    (http, json, xmlrpc, logging, loading large values into integer via
    linear-time conversions such as hexadecimal stored in yaml, or anything
    computing larger values based on user controlled inputs… which then wind up
    attempting to output as decimal later on). All of these can suffer a CPU
    consuming DoS in the face of untrusted data.

    Everyone auditing all existing code for this, adding length guards, and
    maintaining that practice everywhere is not feasible nor is it what we deem
    the vast majority of our users want to do.

    This issue has been reported to the Python Security Response Team multiple
    times by a few different people since early 2020, most recently a few weeks
    ago while I was in the middle of polishing up the PR so it’d be ready
    before 3.11.0rc2.

    After discussion on the Python Security Response Team mailing list the
    conclusion was that we needed to limit the size of integer to string
    conversions for non-linear time conversions (anything not a power-of-2
    base) by default. And offer the ability to configure or disable this limit.

    The fix adds ``PYTHONINTMAXSTRDIGITS=digits`` environment variable, ``-X
    int_max_str_digits=digits`` command line option and
    ``sys.set_int_max_str_digits(digits)`` function to configure the new limit.
    Use a limit of ``0`` digits to disable the limit. The fix also adds
    ``sys.get_int_max_str_digits()`` function and
    ``sys.int_info.default_max_str_digits`` (compiled-in default limit) and
    ``sys.int_info.str_digits_check_threshold`` (lowest accepted value for the
    limit) variables

    The ``json.load()`` denial of service was first reported as a `public
    pydantic issue <https://github.com/pydantic/pydantic/issues/1477>`_ in May
    2020. Then it was reported to the Python Security Response Team by multiple
    persons:

    * Larry Yuan (May 5, 2020)
    * Tom Christie (May 6, 2020) via Sebastián Ramírez
    * Mike Gagnon (August 3, 2022)

- name: "mailcap shell command injection "
  slug: mailcap-shell-injection
  cve: CVE-2015-20107
  bpo: 24778
  fixed-in:
   - '3.12': b9509ba7a9c668b984dab876c7926fe1dc5aa0ba
   - '3.11': fae93ab16377db23ba6abc10480b04a58db62bdd
   - '3.10': 96739bccf220689a54ef33341f431eda19c287fa
   - '3.9': c59a16e2c7495a90e6d23a48ec98623f3fb1e176
   - '3.8': 0a4f650347fdcfd82d094ab2134ca89584f4e877
   - '3.7': 6e8e9e7c030b6236ff220362944cba1b93c84bc4
  description: |
    The ``mailcap`` module is vulnerable to shell code injection in filenames.
    If the filename contains a shell command, it will be executed if it is
    passed to ``os.system()`` as described in the documentation.

    To prevent security issues with shell metacharacters (symbols that have
    special effects in a shell command line), the ``mailcap.findmatch()``
    function now refuses to inject ASCII characters other than alphanumerics
    and ``@+=:,./-_`` into the returned command line.

- name: "Windows: vulnerable zlib 1.2.11"
  slug: update-zlib-1-2-11
  cve:
    - CVE-2018-25032
  bpo: 47194
  links:
    - https://access.redhat.com/security/cve/cve-2018-25032
  fixed-in:
    - '3.10': 16a809ffb7af14898ce9ec8165960d96cbcd4ec3
    - '3.9':  0f0f85e9d8088eb789cda35477900df32adff546
    - '3.8':  7ccdec3d1d837b910cd4fc5525ecde71a1326202
    - '3.7':  387f93c156288c170ff0016a75af06e109d48ee1
  description: |
    zlib v1.2.11 is a dependency of CPython on Windows.

    An out-of-bounds access flaw was found in zlib, which allows memory
    corruption when deflating (ex: when compressing) if the input has many
    distant matches.

    This bug was introduced in zlib v1.2.2.2 through zlib v1.2.11 and fixed
    in v1.2.12.

    On Windows, you could fix this vulnerability by updating zlib to
    1.2.12 in Windows builds. On Linux and macOS, Python uses the system zlib
    library to build by default, you could update your system zlib version.
    You can also specify a bugfixed zlib different from the system zlib
    by setting CPPFLAGS and LDFLAGS.

- name: "http.server: Open Redirection if the URL path starts with //"
  slug: http-server-redirection
  cve: CVE-2021-28861
  gh: 87389
  reported-at: "2021-02-14"
  reported-by: "Hamza Avvan (email to PSRT)"
  links:
    - https://access.redhat.com/security/cve/CVE-2021-28861
  fixed-in:
   - '3.12': 4abab6b603dd38bec1168e9a37c40a48ec89508e
   - '3.11': e2e8847bf52f4a81490653c6d13b7e3821b2c2be
   - '3.10': 5715382d3a89ca118ce2e224d8c69550d21fe51b
   - '3.9': defaa2b19a9a01c79c1d5641a8aa179bb10ead3f
   - '3.8': 4dc2cae3abd75f386374d0635d00443b897d0672
   - '3.7': 8a34afd55258c721e446d6de4a70353c39a24148
  description: |
    This security flaw causes an open redirection vulnerability in
    ``Lib/http/server.py`` due to no protection against multiple (``/``) at the
    beginning of the URI path.

- name: "Linux specific local privilege escalation via the multiprocessing forkserver start method"
  slug: multiprocessing-abstract-socket
  cve: CVE-2022-42919
  gh: 97514
  reported-at: "2022-09-07 (email to PSRT)"
  reported-by: "Devin Jeanpierre (Google)"
  links:
    - Ubuntu: https://ubuntu.com/security/notices/USN-5713-1
    - Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2138705
    - openSUSE: https://bugzilla.suse.com/show_bug.cgi?id=1204886
  fixed-in:
   - '3.12': 49f61068f49747164988ffc5a442d2a63874fc17
   - '3.11': 4c0c1e201a896ee5141df9a698e8a94aad2d5e6d
   - '3.10': eae692eed18892309bcc25a2c0f8980038305ea2
   - '3.9': b43496c01a554cf41ae654a0379efae18609ad39
  affected-versions:
   - '3.9'
   - '3.10'
   - '3.11'
  description: |
    Python 3.9, 3.10, and 3.11.0rc2 on Linux may allow for a local privilege
    escalation attack in a non-default configuration when code uses the
    multiprocessing module and configures multiprocessing to use the forkserver
    start method.

    This issue was discovered by Devin Jeanpierre (@ssbr) of Google.

- name: "Buffer overflow in the _sha3 module in Python 3.10 and older"
  slug: sha3-buffer-overflow
  cve: CVE-2022-37454
  gh: 98517
  links:
    - https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
    - openSUSE: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-37454
    - https://mouha.be/sha-3-buffer-overflow/
  affected-versions:
   - "3.7"
   - "3.8"
   - "3.9"
   - "3.10"
  fixed-in:
   - '3.7': 8088c90044ba04cd5624b278340ebf934dbee4a5
   - '3.8': 948c6794711458fd148a3fa62296cadeeb2ed631
   - '3.9': 857efee6d2d43c5c12fc7e377ce437144c728ab8
   - '3.10': 0e4e058602d93b88256ff90bbef501ba20be9dd3
  description: |
    CVE-2022-37454 affects Python versions prior to 3.11. The fix discussed in
    `XKCP's advisory
    <https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658>`_
    can be adapted to these versions. The discoverer's writeup contains code
    that might be turned into regression tests.

    Python 3.11 is not affected: Python 3.11 switched to using tiny_sha3 in
    `issue GH-91254 <https://github.com/python/cpython/issues/91254>`_.

    The XKCP vulnerability has been found by Nicky Mouha.

- name: "Slow IDNA decoding with large strings"
  slug: slow-idna-large-strings
  cve: CVE-2022-45061
  gh: 98433
  reported-at: "2022-09-09 (email to PSRT)"
  reported-by: "Guido Vranken"
  fixed-in:
   - '3.12': d315722564927c7202dd6e111dc79eaf14240b0d
   - '3.11': a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15
   - '3.10': 9bb8e18ca46fe66fa6802602f8a7228a24dd785f
   - '3.9': c09dba57cfbbf74273ce44b1f48f71b46806605c
   - '3.8': 82ca2839c9ec6bf9a9400e791a52411824df67f3
   - '3.7': b0b590be9597fd5919228d251812dd54145f70a7
  description: |
    IDNA decoding execution time is not linear in relation to the input string
    size, which can cause slowness with large inputs:

    * 10 chars = 0.016 seconds
    * 100 chars = 0.047 seconds
    * 1000 chars = 2.883 seconds
    * 2500 chars = 17.724 seconds
    * 5000 chars = 1 min 10 seconds

    According to `Unicode Technical Standard #46
    <https://unicode.org/reports/tr46/>`_, an IDNA label must not be longer
    than 63 characters. The Python ``idna`` module enforces the restriction,
    but too late.

- name: "urlparse does not correctly handle schemes"
  slug: urlparse-scheme
  cve: CVE-2023-24329
  gh: 99418
  links:
    - https://pointernull.com/security/python-url-parse-problem.html
  fixed-in:
   - '3.12': 439b9cfaf43080e91c4ad69f312f21fa098befc7
   - '3.11': 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
  description: |
    Fix bug in ``urlparse()`` of ``urllib.parse`` that causes URL schemes that
    begin with a digit, a plus sign, or a minus sign to be parsed incorrectly.

- name: "Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple"
  slug: email-parseaddr-realname
  cve: CVE-2023-27043
  gh: 102988
  #fixed-in:
  # - '3.x': xxx
  # - '3.y': xxx
  description: |
    The e-mail module incorrectly parses e-mail addresses which contain a
    special character. This vulnerability allows attackers to send messages
    from e-ail addresses that would otherwise be rejected.