FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- multiple vulnerabilities

Affected packages
python38 < 3.8.10
python39 < 3.9.5


VuXML ID bffa40db-ad50-11eb-86b8-080027846a02
Discovery 2021-03-08
Entry 2021-05-05

Python reports:

bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes A SCII newlines and tabs from URLs, preventing such attacks.

bpo-43472: Ensures interpreter-level audit hooks receive the cpython. PyInterpreterState_New event when called through the _xxsubinterpreters module.

bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.