Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 741560 - <dev-python/pypy-7.3.2: multiple vulnerabilities
Summary: <dev-python/pypy-7.3.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 752294
Blocks:
  Show dependency tree
 
Reported: 2020-09-10 19:56 UTC by Michał Górny
Modified: 2024-09-22 07:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:56:57 UTC 
Ok, so pypy2.7 has all vulnerabilities of CPython 2.7.17.  Speaking in CPython commits:

e176e0c105 [2.7] closes bpo-38576: Disallow control characters in hostnames in http.client. (GH-19052)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)

I'm working on getting the patches upstream.  Either way, they will be part of upcoming pypy 7.3.2 release.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 21:13:20 UTC 
Please cleanup.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 21:59:41 UTC 
Removed old versions.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 22:08:23 UTC 
(In reply to Michał Górny from comment #2)
> Removed old versions.

Thanks!
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:25:57 UTC 
Package list is empty or all packages have requested keywords.
Comment 5 Larry the Git Cow gentoo-dev 2024-09-22 06:59:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0fab7436a742d3f4e2260e183a9d563267fb75b8

commit 0fab7436a742d3f4e2260e183a9d563267fb75b8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:59:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:59:21 +0000

    [ GLSA 202409-12 ] pypy, pypy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/741496
    Bug: https://bugs.gentoo.org/741560
    Bug: https://bugs.gentoo.org/774114
    Bug: https://bugs.gentoo.org/782520
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-12.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)