Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 741496 - dev-python/pypy3: multiple vulnerabilities
Summary: dev-python/pypy3: multiple vulnerabilities
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-10 09:38 UTC by Michał Górny
Modified: 2020-09-10 21:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 09:38:54 UTC
The not-yet-released pypy3.6 version includes all vulnerabilities fixed since CPython v3.6.9rc1.  I'm working on making a patch set.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:58:25 UTC
Speaking in CPython commits:

b23c0840ce [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (GH-17311). (GH-17571)
83fc70159b bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
7df32f844e bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)


I'm working on getting them fixed upstream.  Either way, the fixes will be part of the upcoming 7.3.2 release.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:59:41 UTC
Oh, and these two (that are already fixed in the hg branch):

cfc7ff8d05 [3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 21:39:19 UTC
Found a few more:

1789bbdd3e bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)
13a19139b5 bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)
1698cacfb9 bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
0716056c49 bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)
30afc91f5e bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444)