Opened 4 years ago

Closed 4 years ago

#12669 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version

Change History (3)

comment:1 by Bruce Dubbs, 4 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Douglas R. Reno, 4 years ago

Priority: normalhigh

Just wanted to drop the fact that there's some security fixes here:

.. bpo: 38174
.. date: 2019-09-23-21-02-46
.. nonce: MeWuJd
.. section: Security

Update vendorized expat library version to 2.2.8, which resolves
.. bpo: 30458
.. date: 2019-04-10-08-53-30
.. nonce: 51E-DA
.. section: Security

Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or
control characters through into the underlying http client request.  Such
potentially malicious header injection URLs now cause an httplib.InvalidURL
exception to be raised.
.. bpo: 35907
.. date: 2019-02-13-17-21-10
.. nonce: ckk2zg
.. section: Security

CVE-2019-9948: Avoid file reading by disallowing ``local-file://`` and
``local_file://`` URL schemes in :func:`urllib.urlopen`,
:meth:`` and :meth:`urllib.URLopener.retrieve`.

comment:3 by Bruce Dubbs, 4 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 22297.

Note: See TracTickets for help on using tickets.