Gentoo Project

Python

Security Bug Reports

• dev-python/pip: Possible code execution via untrusted packages from external indexes (CVE-2018-20225)

  721672 - Assigned to security
• <dev-python/pypy3-7.3.2: multiple vulnerabilities

  741496 - Assigned to security
• <dev-python/pypy-7.3.2: multiple vulnerabilities

  741560 - Assigned to security
• <dev-python/rsa-4.7: timing attack vulnerability (CVE-2020-25658)

  760702 - Assigned to security
• <dev-python/autobahn-20.12.3: Redirect header injection (CVE-2020-35678)

  761840 - Assigned to security
• dev-python/m2crypto: Bleichenbacher vulnerability (CVE-2020-25657)

  765166 - Assigned to security
• <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)

  766228 - Assigned to security
• <dev-python/cryptography-3.3.2: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow

  769419 - Assigned to security
• <dev-python/reportlab-3.5.56: SSRF vulnerability (CVE-2020-28463)

  771552 - Assigned to security
• <dev-python/pypy{,3}-{7.3.3_p2-r1,7.3.3_p37_p1-r1}: multiple vulnerabilties

  774114 - Assigned to security
• <dev-python/pypy3-7.3.3_p37_p3, <dev-python/pypy-7.3.3_p3: multiple vulnerabilities

  782520 - Assigned to security
• <dev-lang/python-{2.7.18_p9,3.6.13_p3,3.7.10_p3,3.8.9_p2,3.9.4_p1}: Improper Input Validation of octal literals (CVE-2021-29921)

  787260 - Assigned to security
• <dev-python/django-{2.2.21,3.1.9,3.2.1}: directory-traversal via uploaded files with suitably crafted file names (another one)

  788130 - Assigned to security
• <dev-python/django-{2.2.22,3.1.10,3.2.2}: header injection possibility via newlines and tabs in URLs (CVE-2021-32052)

  788700 - Assigned to security
• <dev-lang/python-{2.7.18_p11,3.6.13_p5,3.7.10_p6,3.8.10_p2,3.9.5_p2,3.10.0_beta2} <dev-python/pypy-7.3.4_p1 <dev-python/pypy3-{7.3.4_p2,7.3.5_rc3_p1}: multiple vulnerabilities

  793833 - Assigned to security
• <dev-python/django-{2.2.24,3.1.12,3.2.4}: multiple vulnerabilities (CVE-2021-{33203,33571})

  793911 - Assigned to security
• <dev-python/django-{3.1.13,3.2.5}: SQL injection vulnerability in QuerySet.order_by() (CVE-2021-35042)

  799710 - Assigned to security
• <dev-python/pillow-8.3.0: buffer overflow (CVE-2021-34552)

  802090 - Assigned to security
• <dev-python/sqlparse-0.4.2: ReDOS in 'strip comments' filter

  812512 - Assigned to security
• <dev-python/python-ldap-3.4.0: ReDoS via specially-crafted LDAP schema

  827634 - Assigned to security
• <dev-python/markdown2-2.4.2: ReDoS on "auto linking urls"

  827977 - Assigned to security
• dev-python/ujson: stack-based buffer overflow

  830373 - Assigned to security
• <dev-python/numpy-1.22.2: null pointer dereference

  832736 - Assigned to security
• <dev-python/waitress-2.1.1: multiple "HTTP desync/HTTP request smuggling" vulnerabilities

  835492 - Assigned to security
• dev-python/virtualenv: bundles vulnerable urllib3 via vulnerable pip

  835625 - Assigned to security
• <dev-python/ujson-5.4.0: multiple vulnerabilities

  855689 - Assigned to security
• dev-python/cryptography: 'cargo audit' reports one or more bundled CRATES as vulnerable

  864049 - Assigned to security
• dev-python/nbconvert: arbitrary html injection

  865721 - Assigned to security
• dev-python/oslo-utils: plaintext logging of certain passwords

  867328 - Assigned to security
• dev-python/joblib: Arbitrary Code Execution via the pre_dispatch flag in Parallel() class (CVE-2022-21797)

  873151 - Assigned to security
• <dev-python/imageio-2.22.0-r1: downloads .so libraries from GitHub without verification

  874849 - Assigned to security
• dev-python/py: ReDoS via subversion repository with crafted info

  877455 - Assigned to security
• <dev-python/setuptools-65.5.1: REDoS vector in package_index

  879813 - Assigned to security
• <dev-lang/python-{3.8.15_p3,3.9.15_p3,3.10.8_p3,3.11.0_p2,3.12.0_alpha1_p2} <dev-python/pypy3-7.3.9_p9: CPU denial of service via inefficient IDNA decoder

  880629 - Assigned to security
• <dev-python/slixmpp-1.8.3: missing certificate hostname validation

  881181 - Assigned to security
• <dev-python/GitPython-3.1.30: code execution via crafted input to Repo.clone_from

  884623 - Assigned to security
• <dev-python/future-0.18.2-r3: ReDoS

  888109 - Assigned to security
• <dev-python/pillow-9.4.0: multiple vulnerabilities

  889594 - Assigned to security
• <dev-python/cryptography-39.0.1: Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf

  893576 - Assigned to security
• <dev-lang/python-{3.10.10_p2,3.9.16_p2,3.8.16_p3}, <dev-python/pypy3-7.3.11_p1: urllib.parse blocklist bypass

  897958 - Assigned to security
• <dev-python/werkzeug-2.2.3: DoS via multipart form upload

  897962 - Assigned to security
• <dev-python/mpmath-1.3.0: ReDoS vulnerability in mpmathify

  900202 - Assigned to security