Gentoo Project

Python

Security Bug Reports

• dev-python/pip: Possible code execution via untrusted packages from external indexes (CVE-2018-20225)

  721672 - Assigned to Gentoo Security
• <dev-python/rsa-4.7: timing attack vulnerability (CVE-2020-25658)

  760702 - Assigned to Gentoo Security
• <dev-python/reportlab-3.5.56: SSRF vulnerability (CVE-2020-28463)

  771552 - Assigned to Gentoo Security
• <dev-python/sqlparse-0.4.2: ReDOS in 'strip comments' filter

  812512 - Assigned to Gentoo Security
• <dev-python/python-ldap-3.4.0: ReDoS via specially-crafted LDAP schema

  827634 - Assigned to Gentoo Security
• <dev-python/markdown2-2.4.2: ReDoS on "auto linking urls"

  827977 - Assigned to Gentoo Security
• dev-python/ujson: stack-based buffer overflow

  830373 - Assigned to Gentoo Security
• <dev-python/numpy-1.22.2: null pointer dereference

  832736 - Assigned to Gentoo Security
• <dev-python/waitress-2.1.1: multiple "HTTP desync/HTTP request smuggling" vulnerabilities

  835492 - Assigned to Gentoo Security
• dev-python/nbconvert: arbitrary html injection

  865721 - Assigned to Gentoo Security
• <dev-python/oslo-utils-4.12.1: plaintext logging of certain passwords

  867328 - Assigned to Gentoo Security
• dev-python/py: ReDoS via subversion repository with crafted info

  877455 - Assigned to Gentoo Security
• <dev-python/werkzeug-2.2.3: DoS via multipart form upload

  897962 - Assigned to Gentoo Security
• <dev-python/tornado-6.3.2: open redirect vulnerability

  906519 - Assigned to Gentoo Security
• dev-python/reportlab: remote code execution

  907924 - Assigned to Gentoo Security
• <dev-python/starlette-0.27.0: local file inclusion vulnerability

  907929 - Assigned to Gentoo Security
• <dev-python/werkzeug-{2.3.8,3.0.1}: DoS via malformed multipart data

  917768 - Assigned to Gentoo Security
• <dev-python/pypdf-3.17.0: multiple vulnerabilities

  918441 - Assigned to Gentoo Security
• <dev-python/twisted-23.10.0_rc1: response ordering vulnerability

  918526 - Assigned to Gentoo Security
• <dev-python/paramiko-3.4.0: terrapin vulnerability

  920299 - Assigned to Gentoo Security
• <dev-python/pycryptodome-3.19.1: side-channel leakage with OAEP decryption

  920912 - Assigned to Gentoo Security
• <dev-python/idna-3.7: potential DoS via resource consumption via specially crafted inputs to idna.encode()

  929208 - Assigned to Gentoo Security
• <dev-python/flask-cors-4.0.1: log injection when the log level is set to debug

  931228 - Assigned to Gentoo Security
• <dev-python/requests-2.32.0: Session object does not verify requests after making first request with verify=False

  932327 - Assigned to Gentoo Security
• <dev-python/pymysql-1.1.1: SQL injection if used with untrusted JSON input

  932396 - Assigned to Gentoo Security
• <dev-python/django-{5.0.7,4.2.14}: multiple vulnerabilities

  935793 - Assigned to Gentoo Security
• <dev-lang/python-{3.8.19_p3,3.9.19_p4,3.10.14_p2,3.11.9_p1,3.12.4_p3,3.13.0_rc1_p1}, <dev-python/pypy3_{9,10}-7.3.16_p1: Email header injection due to unquoted newlines

  937124 - Assigned to Gentoo Security
• <dev-python/webob-1.8.8: Location header normalization during redirect leads to open redirect

  937946 - Assigned to Gentoo Security
• <dev-python/configobj-5.0.9: ReDoS via the validate function

  940017 - Assigned to Gentoo Security
• dev-lang/python: Virtual environment (venv) activation scripts don't quote paths

  942077 - Assigned to Gentoo Security
• <dev-python/werkzeug-3.0.6, <dev-python/quart-0.19.7: possible resource exhaustion when parsing file data in forms

  942200 - Assigned to Gentoo Security
• <dev-python/tornado-6.4.2: ReDoS in cookie parsing

  944393 - Assigned to Gentoo Security
• <dev-python/python-jose-3.4.0: multiple vulnerabilities

  949740 - Assigned to Gentoo Security