Skip to content

Commit 6061a68

Browse files
rickpricerickprice
committed
Add NEWS
1 parent a73ee28 commit 6061a68

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

Misc/NEWS.d/2.7.18.8.rst

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
.. bpo: 37428
2+
.. date: 2024-02-15
3+
.. nonce:
4+
.. release date: 2024-02-15
5+
.. section: Core and Builtins
6+
7+
CVE-2023-40217
8+
9+
SSLContext.post_handshake_auth = True no longer sets
10+
SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the
11+
option is documented as ignored for clients, OpenSSL implicitly enables cert
12+
chain validation when the flag is set.
13+
14+
.. bpo: ?
15+
.. date: 2024-02-15
16+
.. nonce:
17+
.. release date: 2024-02-15
18+
.. section: Core and Builtins
19+
20+
CVE-2023-24329
21+
22+
Start stripping C0 control and space chars in urlsplit (#… …102508)
23+
24+
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit #25595.
25+
26+
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/#url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
27+
28+
.. bpo: 43882
29+
.. date: 2024-02-15
30+
.. nonce:
31+
.. release date: 2024-02-15
32+
.. section: Core and Builtins
33+
34+
CVE-2022-0391
35+
36+
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
37+
38+
.. bpo: 43285
39+
.. date: 2024-02-15
40+
.. nonce:
41+
.. release date: 2024-02-15
42+
.. section: Core and Builtins
43+
44+
CVE-2021-4189
45+
46+
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

0 commit comments

Comments
 (0)