FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

python 3.7 -- multiple vulnerabilities

Affected packages
python37 < 3.7.4

Details

VuXML ID a449c604-a43a-11e9-b422-fcaa147e860e
Discovery 2019-03-13
Entry 2019-07-12

Python changelog:

bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g.'127.0.0.1 whatever'.

bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file:// and local_file:// URL schemes in URLopener().open() and URLopener().retrieve() of urllib.request.

bpo-36742: Fixes mishandling of pre-normalization characters in urlsplit().

bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.

bpo-33529: Prevent fold function used in email header encoding from entering infinite loop when there are too many non-ASCII characters in a header.

bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and if the PATH environment variable is not set. Remove also the current directory from posixpath.defpath. On Unix, shutil.which() and the subprocess module no longer search the executable in the current directory if the PATH environment variable is not set.

References

CVE Name CVE-2019-9740
CVE Name CVE-2019-9948
URL https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final