Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 953493

Summary: <dev-lang/python-{3.8.20_p7,3.9.22,3.10.17,3.11.12,3.12.10,3.13.3,3.14.0_alpha7}, dev-lang/pypy-{3.10.7.3.19_p2,3.11.7.3.19_p5}: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 953485, 953486, 953487, 953488, 953489, 953490, 953491, 953492    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2025-04-09 19:28:31 UTC 
From the changelogs:

3.9+
====
..

.. date: 2025-01-28-14-08-03
.. gh-issue: 105704
.. nonce: EnhHxu
.. section: Security

When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse`
host parsing would not reject domain names containing square brackets (``[``
and ``]``). Square brackets are only valid for IPv6 and IPvFuture hosts
according to `RFC 3986 Section 3.2.2
<https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

..

.. date: 2024-08-06-12-27-34
.. gh-issue: 121284
.. nonce: 8rwPxe
.. section: Security

Fix bug in the folding of rfc2047 encoded-words when flattening an email
message using a modern email policy. Previously when an encoded-word was too
long for a line, it would be decoded, split across lines, and re-encoded.
But commas and other special characters in the original text could be left
unencoded and unquoted. This could theoretically be used to spoof header
lines using a carefully constructed encoded-word if the resulting rendered
email was transmitted or re-parsed.

..

.. date: 2024-05-24-21-00-52
.. gh-issue: 119511
.. nonce: jKrXQ8
.. section: Security

Fix a potential denial of service in the :mod:`imaplib` module. When
connecting to a malicious server, it could cause an arbitrary amount of
memory to be allocated. On many systems this is harmless as unused virtual
memory is only a mapping, but if this hit a virtual address size limit it
could lead to a :exc:`MemoryError` or other process crash. On unusual
systems or builds where all allocated memory is touched and backed by actual
ram or storage it could've consumed resources doing so until similarly
crashing.


3.10+
=====
..

.. date: 2024-08-06-11-43-08
.. gh-issue: 80222
.. nonce: wfR4BU
.. section: Security

Fix bug in the folding of quoted strings when flattening an email message
using a modern email policy. Previously when a quoted string was folded so
that it spanned more than one line, the surrounding quotes and internal
escapes would be omitted. This could theoretically be used to spoof header
lines using a carefully constructed quoted string if the resulting rendered
email was transmitted or re-parsed.


3.12+
=====

..

.. date: 2024-11-28-20-29-21
.. gh-issue: 127371
.. nonce: PeEhUd
.. section: Security

Avoid unbounded buffering for
:meth:`!tempfile.SpooledTemporaryFile.writelines`. Previously, disk
spillover was only checked after the lines iterator had been exhausted. This
is now done after each line is written.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2025-04-14 17:58:07 UTC 
cleanup done.