[Security-sig] HTML page of Python security vulnerabilities
Victor Stinner
victor.stinner at gmail.com
Thu Mar 9 19:06:49 EST 2017
Hi,
Minor update on
http://python-security.readthedocs.io/vulnerabilities.html : I
enhanced render_doc.py script to download issue title, author and date
from bugs.python.org. It allows to remove more lines from
vulnerabilities.yaml, so each YAML entry is now shorter and human
mistakes are less likely!
Note: Sadly, it seems like Roundup XML-RPC API requires to pass a user
+ password in the URL to get the author of the first message of an
issue, whereas this information is public if you look at the HTML
page.
Victor
2017-02-22 1:11 GMT+01:00 Victor Stinner <victor.stinner at gmail.com>:
> I completed my list: the 30 CVE are now listed on my page! Well,
> except of two special cases:
>
> * CVE-2016-1494: vulnerability in the 3rd party module "python-rsa"
> * CVE-2015-5652: sys.path on Windows -- not fixed
>
> See also my notes on sys.path:
> http://python-security.readthedocs.io/#misc
>
>
> The last major vulnerability not documented yet is cookielib which has
> a long story. I don't know yet how to summarize it as individual
> "vulnerabilities".
>
> https://hackerone.com/reports/26647
>
> https://bugs.python.org/issue16611
> #16611: BaseCookie now parses 'secure' and 'httponly' flags.
> https://bugs.python.org/issue22796
> Regression in Python 3.2 cookie parsing
> https://bugs.python.org/issue25228
> Support for httponly/secure cookies reintroduced lax parsing behavior
> https://code.djangoproject.com/ticket/26158
> cookie parsing fails with python 3.x if request contains unnamed cookie
>
> Victor
More information about the Security-SIG
mailing list