Python Security Documentation Release 0.0 Victor Stinner Sep 15, 2021 Contents 1 Pages 3 1.1 Python Security Vulnerabilities.....................................3 1.2 Packages and PyPI............................................ 110 1.3 Python SSL and TLS security...................................... 122 1.4 Python Security............................................. 125 i ii Python Security Documentation, Release 0.0 This page is an attempt to document security vulnerabilities in Python and the versions including the fix. Contents 1 Python Security Documentation, Release 0.0 2 Contents CHAPTER 1 Pages 1.1 Python Security Vulnerabilities Status of Python branches lists Python branches which get security fixes. Total: 84 vulnerabilities. Vulnerability Disclosure Fixed In Vulnerable CVE CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0 2021-06-11 3.6.15 3.7.12 3.8.12 3.9.7 – CVE-2013-0340 CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response 2021-05-03 3.6.14 3.7.11 3.8.11 3.9.6 – – ipaddress leading zeros in IPv4 address 2021-03-30 3.8.12 3.9.5 – CVE-2021-29921 ftplib should not use the host from the PASV response 2021-02-21 3.6.14 3.7.11 3.8.9 3.9.3 – – CVE-2021-3733: ReDoS in urllib.request 2021-01-30 3.6.14 3.7.11 3.8.10 3.9.5 – – Information disclosure via pydoc getfile 2021-01-21 3.6.14 3.7.11 3.8.9 3.9.3 – CVE-2021-3426 urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator 2021-01-19 3.6.13 3.7.10 3.8.8 3.9.2 – CVE-2021-23336 ctypes: Buffer overflow in PyCArg_repr 2021-01-16 3.6.13 3.7.10 3.8.8 3.9.2 – CVE-2021-3177 CJK codecs tests call eval() on content retrieved via HTTP 2020-10-05 3.6.13 3.7.10 3.8.7 3.9.1 – CVE-2020-27619 [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface 2020-06-17 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 – CVE-2020-14422 http.client: HTTP Header Injection in the HTTP method 2020-02-10 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 – CVE-2020-26116 CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7 2020-01-21 3.6.11 3.7.7 3.8.2 3.9.0 – CVE-2020-8315 Email header injection in Address objects 2019-12-17 3.5.10 3.6.11 3.7.8 3.8.4 3.9.0 – – Infinite loop in tarfile module while opening a crafted file 2019-12-10 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 – CVE-2019-20907 Remove newline characters from uu encoding methods 2019-11-30 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 – – urllib basic auth regex denial of service 2019-11-17 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 – CVE-2020-8492 Regular Expression Denial of Service in http.cookiejar 2019-11-14 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 – – CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() 2019-10-24 2.7.18 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 – CVE-2019-18348 Reflected XSS in DocXMLRPCServer 2019-09-21 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 – CVE-2019-16935 ssl.match_hostname() ignores extra string after whitespace in IPv4 address 2019-07-01 3.7.4 3.8.0 – – urlsplit does not handle NFKC normalization (second fix) 2019-04-27 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 – CVE-2019-10160 urlsplit does not handle NFKC normalization 2019-03-06 2.7.17 3.5.7 3.6.9 3.7.3 3.8.0 – CVE-2019-9636 urllib module local_file:// scheme 2019-02-06 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 – CVE-2019-9948 Continued on next page 3 Python Security Documentation, Release 0.0 Table 1 – continued from previous page Vulnerability Disclosure Fixed In Vulnerable CVE TALOS-2018-0758 SSL CRL distribution points Denial of Service 2019-01-15 2.7.16 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 – CVE-2019-5010 http.cookiejar: Incorrect validation of path 2019-01-03 2.7.17 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 – – xml package does not obey ignore_environment 2018-09-24 2.7.16 3.4.10 3.5.7 3.6.8 3.7.2 3.8.0 – – pickle.load denial of service 2018-09-13 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 – CVE-2018-20406 _elementree C accelerator doesn’t call XML_SetHashSalt() 2018-09-10 2.7.16 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 – CVE-2018-14647 email.utils.parseaddr mistakenly parse an email 2018-07-19 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 – CVE-2019-16056 Email folding function Denial-of-Service 2018-05-16 3.6.9 3.7.4 3.8.0 – – Buffer overflow vulnerability in os.symlink on Windows 2018-03-05 3.4.9 3.5.6 3.6.5 3.7.0 – CVE-2018-1000117 difflib and poplib catastrophic backtracking 2018-03-02 2.7.15 3.4.9 3.5.6 3.6.5 3.7.0 – CVE-2018-1060 CVE-2018-1061 Python 2.7 readahead is not thread safe 2017-09-20 2.7.15 – CVE-2018-1000030 Expat 2.2.3 2017-07-17 2.7.14 3.3.7 3.4.8 3.5.5 3.6.3 3.7.0 – – Environment variables injection in subprocess on Windows 2017-06-22 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 – – Expat 2.2.1 2017-06-17 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 – CVE-2012-0876 CVE-2016-0718 CVE-2016-9063 CVE-2017-9233 PyString_DecodeEscape integer overflow 2017-06-13 2.7.14 3.4.8 3.5.5 – CVE-2017-1000158 bpo-30500: urllib connects to a wrong host 2017-05-29 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 – – HTTP Header Injection (follow-up of CVE-2016-5699) 2017-05-24 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 – CVE-2019-9740 CVE-2019-9947 Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path 2017-03-10 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 – CVE-2020-15523 urllib FTP protocol stream injection 2017-02-20 2.7.14 3.3.7 3.4.7 3.5.4 3.6.3 3.7.0 – – Expat 2.2 (Expat bug #537) 2017-02-17 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 – CVE-2016-0718 CVE-2016-4472 Zlib 1.2.11 2017-01-05 2.7.14 3.4.8 3.5.4 3.6.1 3.7.0 – CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 gettext.c2py() 2016-10-30 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 – – Sweet32 attack (DES, 3DES) 2016-08-24 2.7.13 3.4.7 3.5.3 3.6.0 – CVE-2016-2183 HTTPoxy attack 2016-07-18 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 – CVE-2016-1000110 smtplib TLS stripping 2016-06-11 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 – CVE-2016-0772 Issue #26657: HTTP server directory traversal 2016-03-28 2.7.12 3.3.7 3.4.7 3.5.2 3.6.0 – – Issue #26556: Expat 2.1.1 2016-03-14 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 – CVE-2015-1283 zipimporter overflow 2016-01-21 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 – CVE-2016-5636 HTTP header injection 2014-11-24 2.7.10 3.3.7 3.4.4 3.5.0 – CVE-2016-5699 Validate TLS certificate 2014-08-28 2.7.9 3.4.3 3.5.0 – CVE-2014-9365 buffer() integer overflows 2014-06-24 2.7.8 – CVE-2014-7185 JSONDecoder.raw_decode 2014-04-13 2.7.7 3.2.6 3.3.6 3.4.1 3.5.0 – CVE-2014-4616 os.makedirs() not thread-safe 2014-03-28 3.2.6 3.3.6 3.4.1 3.5.0 – CVE-2014-2667 socket.recvfrom_into() overflow 2014-01-14 2.7.7 3.2.6 3.3.4 3.4.0 – CVE-2014-1912 zipfile DoS using invalid file size 2013-12-27 3.3.4 3.4.0 – CVE-2013-7338 CGI directory traversal (URL parsing) 2013-10-29 2.7.6 3.2.6 3.3.4 3.4.0 – – ssl: NULL in subjectAltNames 2013-06-27 2.6.9 2.7.6 3.2.6 3.3.3 3.4.0 – CVE-2013-4238 ssl.match_hostname() IDNA issue 2013-05-17 3.3.3 3.4.0 – CVE-2013-7440 ssl.match_hostname() wildcard DoS 2013-05-15 3.2.6 3.3.3 3.4.0 – CVE-2013-2099 Limit imaplib.IMAP4_SSL.readline() 2012-09-25 2.7.16 – CVE-2013-1752 ftplib unlimited read 2012-09-25 2.7.6 3.2.6 3.3.3 3.4.0 – CVE-2013-1752 nntplib unlimited read 2012-09-25 2.6.9 2.7.6 3.2.6 3.3.7 3.4.3 3.5.0 – CVE-2013-1752 poplib unlimited read 2012-09-25 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 – CVE-2013-1752 smtplib unlimited read 2012-09-25 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 – CVE-2013-1752 xmlrpc gzip unlimited read 2012-09-25 2.7.9 3.3.7 3.4.3 3.5.0 – CVE-2013-1753 Hash function not randomized properly 2012-04-19 3.4.0 – CVE-2013-7040 Vulnerability in the utf-16 decoder after error handling 2012-04-14 2.7.4 3.2.4 3.3.0 – CVE-2012-2135 XML-RPC DoS 2012-02-13 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 – CVE-2012-0845 ssl CBC IV attack 2012-01-27 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 – CVE-2011-3389 Hash DoS 2011-12-28 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 – CVE-2012-1150 Continued on next page 4 Chapter 1.