FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- multiple vulnerabilities

Affected packages
python37 < 3.7.8


VuXML ID 33c05d57-bf6e-11ea-ba1e-0800273f78d3
Discovery 2019-10-24
Entry 2020-07-06

Python reports:

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.


CVE Name CVE-2019-18348
CVE Name CVE-2020-8492