Python -- multiple vulnerabilities

ID 33C05D57-BF6E-11EA-BA1E-0800273F78D3
Type freebsd
Reporter FreeBSD
Modified 2019-10-24T00:00:00


Python reports:

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.