Attachment #223969 for bug #254780

View | Details | Raw Unified | Return to bug 254780 | Differences between
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="f671c282-95ef-11eb-9c34-080027f515ea">
    <topic>python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem</topic>
    <affects>
      <package>
	<name>python38</name>
	<range><lt>3.8.9</lt></range>
      </package>
      <package>
	<name>python39</name>
	<range><lt>3.9.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>David Schwörer reports:</p>
	<blockquote cite="https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html">
	  <p>
	    Remove the getfile feature of the pydoc module which could be
	    abused to read arbitrary files on the disk (directory traversal
	    vulnerability). Moreover, even source code of Python modules
	    can contain sensitive data like passwords.
	  </p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2021-3426</cvename>
      <url>https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html</url>
      <url>https://bugs.python.org/issue42988</url>
    </references>
    <dates>
      <discovery>2021-01-21</discovery>
      <entry>2021-04-05</entry>
    </dates>
  </vuln>

  <vuln vid="8ba23a62-997d-11eb-9f0e-0800278d94f0">
    <topic>gitea -- multiple vulnerabilities</topic>
    <affects>
- 

Return to bug 254780

Lines 76-81 Notes: Link Here

(-)b/security/vuxml/vuln.xml (-1 / +36 lines)
76	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	76	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
77	-->	77	-->
78	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	78	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		79	<vuln vid="f671c282-95ef-11eb-9c34-080027f515ea">
		80	<topic>python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem</topic>
		81	<affects>
		82	<package>
		83	<name>python38</name>
		84	<range><lt>3.8.9</lt></range>
		85	</package>
		86	<package>
		87	<name>python39</name>
		88	<range><lt>3.9.3</lt></range>
		89	</package>
		90	</affects>
		91	<description>
		92	<body xmlns="http://www.w3.org/1999/xhtml">
		93	<p>David Schwörer reports:</p>
		94	<blockquote cite="https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html">
		95	<p>
		96	Remove the getfile feature of the pydoc module which could be
		97	abused to read arbitrary files on the disk (directory traversal
		98	vulnerability). Moreover, even source code of Python modules
		99	can contain sensitive data like passwords.
		100	</p>
		101	</blockquote>
		102	</body>
		103	</description>
		104	<references>
		105	<cvename>CVE-2021-3426</cvename>
		106	<url>https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html</url>
		107	<url>https://bugs.python.org/issue42988</url>
		108	</references>
		109	<dates>
		110	<discovery>2021-01-21</discovery>
		111	<entry>2021-04-05</entry>
		112	</dates>
		113	</vuln>
		114
79	<vuln vid="8ba23a62-997d-11eb-9f0e-0800278d94f0">	115	<vuln vid="8ba23a62-997d-11eb-9f0e-0800278d94f0">
80	<topic>gitea -- multiple vulnerabilities</topic>	116	<topic>gitea -- multiple vulnerabilities</topic>
81	<affects>	117	<affects>
82	-