[SECURITY] Fedora 31 Update: python-httplib2-0.18.1-3.fc31

A comprehensive HTTP client library that supports many features left out of other HTTP libraries...

Unspecified vulnerability in Open-iSCSI rtslib-fb

Open-iSCSI rtslib-fb is an object-based Python library for configuring LIO general purpose SCSI targets in the Linux kernel. A security vulnerability exists in Open-iSCSI rtslib-fb version 2.1.72 and earlier. No detailed vulnerability details are provided at this time...

UBUNTU-CVE-2020-14422

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface...

PT-2021-6018

Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 1.26.5 Description The issue is related to an HTTP client vulnerability in Python urllib3, which is associated with uncontrolled resource consumption. Exploitation of the vulnerability may allow a remote attacker to...

UBUNTU-CVE-2020-13092

DISPUTED scikit-learn aka sklearn through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the joblib.load function is documented as unsafe and it is the...

python-urllib3: Certification mishandle when error should be thrown

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use o...

python: Cookie domain check returns incorrect results

http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostnam...

aequitas (>=0.26.0 <=0.42.0), ax (>=0.39.0 <=0.52.0) +27 more potentially affected by CVE-2020-11888 via markdown2 (>=2.3.0 <=2.3.8)

markdown2 PYPI version =2.3.0, =0.26.0, =0.39.0, =0.1.0, =0.5.29, =3.8.3, =0.0.1, =0.4.1, =0.0.1, =0.7.0a1, =0.2.2, =0.4.0rc1590080566 and more Source cves: CVE-2020-11888 Source advisory: OSV:PYSEC-2020-65...

Chepy - A Python Lib/Cli Equivalent Of The Awesome CyberChef Tool.

Chepy is a python library with a handy cli that is aimed to mirror some of the capabilities of CyberChef. A reasonable amount of effort was put behind Chepy to make it compatible to the various functionalities that CyberChef offers, all in a pure Pythonic manner. There are some key advantages and...

python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext...

DEBIAN-CVE-2020-7212

The encodeinvalidchars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service CPU consumption because of an inefficient algorithm. The percentencodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length ...

PT-2020-5140

Name of the Vulnerable Software and Affected Versions urllib3 library versions 1.25.2 through 1.25.7 Description The issue is related to an inefficient algorithm in the encode invalid chars function, which can lead to a denial of service due to CPU consumption. This happens because the percent...

ambition-edc (>=0.3.68 <=0.3.72), caluma (>=5.2.1 <=5.3.1) +28 more potentially affected by CVE-2020-9402 via django (>=2.2.0 <=2.2.10)

django PYPI version =2.2.0, =0.3.68, =5.2.1, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.26 - django-smorest =0.1.3 - djangorestframework-simplejwt-captcha =1.1.4 - djpub =0.0.1 and more Source cves: CVE-2020-9402 Source advisory: OSV:PYSEC-2020-345...

Blinder - A Python Library To Automate Time-Based Blind SQL Injection

Blidner is a small python library to automate time-based blind SQL injection by using a pre defined queries as a functions to automate a rapid PoC development. Installation You can install Blinder using the following command: pip install blinder Or by downloading the source and importing it...

[SECURITY] [DLA 2057-1] pillow security update

Package : pillow Version : 2.6.1-2+deb8u4 CVE IDs : CVE-2019-19911 CVE-2020-5312 CVE-2020-5313 Debian Bug : 948224 It was discovered that there were three vulnerabilities in Pillow, an imaging library for the Python programming language: CVE-2019-19911: Prevent a denial-of-service vulnerability...

acclaim-badges (=0.1.0), admindjango-ckeditor-blog (=0.1.0) +158 more potentially affected by CVE-2019-19844 via django (>=1.10.0 <=1.11.26)

django PYPI version =1.10.0, =0.2.0.dev20181221, =0.1.0b2696.post0.dev1, =0.2.1, =3.1.4, =2.0.0, =0.3.1, =0.0.19, =0.0.24 and more Source cves: CVE-2019-19844 Source advisory: OSV:PYSEC-2019-16...

DEBIAN-CVE-2019-18874

psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

python: CRLF injection via the path part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

python-urllib3: Certification mishandle when error should be thrown

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use o...

USN-4171-3 apport regression

USN-4171-1 fixed vulnerabilities in Apport. The update caused a regression in the Python Apport library. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user...