CVE-2023-24329: An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. Merged PR: https://github.com/python/cpython/pull/99421 There are some wild (to say the least) claims of RCE prevention at URL, no idea how that could happen with this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ecd2c2d85b898277bb08f2e09d5ab2eefbdafc5 commit 7ecd2c2d85b898277bb08f2e09d5ab2eefbdafc5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-02-26 20:03:12 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-26 20:11:16 +0000 dev-python/pypy3: Backport CVE-2023-24329 fix to 7.3.11_p1 Bug: https://bugs.gentoo.org/897958 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pypy3/Manifest | 1 + dev-python/pypy3/pypy3-7.3.11_p1.ebuild | 205 ++++++++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dbd956b4363bab8ab06697f5e6a797a348fab0f commit 3dbd956b4363bab8ab06697f5e6a797a348fab0f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-02-26 20:01:25 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-26 20:11:15 +0000 dev-lang/python: Backport CVE-2023-24329 fix to 3.8.16_p3 Bug: https://bugs.gentoo.org/897958 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.16_p3.ebuild | 425 ++++++++++++++++++++++++++++++++ 2 files changed, 426 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd4fb5da1b236a01c915d81ce8732b1e5ba6c26f commit fd4fb5da1b236a01c915d81ce8732b1e5ba6c26f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-02-26 20:00:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-26 20:11:14 +0000 dev-lang/python: Backport CVE-2023-24329 fix to 3.9.16_p2 Bug: https://bugs.gentoo.org/897958 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.16_p2.ebuild | 481 ++++++++++++++++++++++++++++++++ 2 files changed, 482 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=215857178d642e1d21d3d6deab0fad7c8797fc55 commit 215857178d642e1d21d3d6deab0fad7c8797fc55 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-02-26 19:58:41 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-26 20:11:14 +0000 dev-lang/python: Backport CVE-2023-24329 fix to 3.10.10_p2 Bug: https://bugs.gentoo.org/897958 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.10_p2.ebuild | 486 +++++++++++++++++++++++++++++++ 2 files changed, 487 insertions(+)
cleanup done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac commit 665ec86173a28118d28182d8381d593988f1adac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 05:59:08 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 06:00:31 +0000 [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/884653 Bug: https://bugs.gentoo.org/897958 Bug: https://bugs.gentoo.org/908018 Bug: https://bugs.gentoo.org/912976 Bug: https://bugs.gentoo.org/919475 Bug: https://bugs.gentoo.org/927299 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+)
