FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

python 3.6 -- multiple vulnerabilities

Affected packages
python36 < 3.6.9

Details

VuXML ID 18ed9650-a1d6-11e9-9b17-fcaa147e860e
Discovery 2019-03-13
Entry 2019-07-08

Python changelog:

bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request.

bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().

bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.

bpo-36216: Changes urlsplit() to raise ValueError when the URL contains characters that decompose under IDNA encoding (NFKC-normalization) into characters that affect how the URL is parsed.

bpo-33529: Prevent fold function used in email header encoding from entering infinite loop when there are too many non-ASCII characters in a header.

bpo-35121: Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan Singaravelan.

References

CVE Name CVE-2019-9740
CVE Name CVE-2019-9948
URL https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-final