Mailman 3 - Security-announce

[CVE-2025-1795] Mishandling of comma during folding and unicode-encoding of email headers
by Seth Larson March 1, 2025

March 1, 2025

There is a LOW severity vulnerability affecting CPython. During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers. Please see the linked CVE ID for the latest information on affected versions: CVE: https://www.cve.org/CVERecord?id=CVE-2025-1795 Issue: https://github.com/python/cpython/issues/100884 Pull requests: https://github.com/python/cpython/pull/100885 and https://github.com/python/cpython/pull/119099

1 0

[CVE-2024-3220] Default mimetype known files writeable on Windows
by Seth Larson Feb. 15, 2025

Feb. 15, 2025

There is a LOW severity vulnerability affecting CPython. There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations. There is no patch available yet, the CVE will be updated once there is a fixed version. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2024-3220

1 0

[CVE-2025-0938] URL parser allowed square brackets in domain names
by Seth Larson Feb. 1, 2025

Feb. 1, 2025

There is a new MEDIUM severity vulnerability affecting CPython. The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2025-0938 * https://github.com/python/cpython/pull/129418

1 0

[CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines()
by Seth Larson Dec. 7, 2024

Dec. 7, 2024

There is a HIGH severity vulnerability affecting CPython. Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-12254 * https://github.com/python/cpython/pull/127656

1 0

[CVE-2024-11168] Improper validation of IPv6 and IPvFuture addresses
by Seth Larson Nov. 13, 2024

Nov. 13, 2024

There is a MEDIUM severity vulnerability affecting CPython. The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/cverecord?id=CVE-2024-11168 * https://github.com/python/cpython/pull/103849

1 0

[CVE-2024-9287] Virtual environment (venv) activation scripts don't quote paths
by Seth Larson Oct. 23, 2024

Oct. 23, 2024

There is a MEDIUM severity vulnerability affecting CPython. A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the virtual environment creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-9287 * https://github.com/python/cpython/pull/124712

1 0

[CVE-2024-6232] Regular-expression DoS when parsing TarFile headers
by Seth Larson Sept. 3, 2024

Sept. 3, 2024

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-6232 * https://github.com/python/cpython/pull/121286

1 0

[CVE-2024-8088] Infinite loop when iterating over zip archive entry names
by Seth Larson Aug. 27, 2024

Aug. 27, 2024

There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-8088 * https://github.com/python/cpython/pull/122906 * https://github.com/python/cpython/issues/122905

1 1

[CVE-2024-7592] Quadratic complexity parsing cookies with backslashes
by Seth Larson Aug. 20, 2024

Aug. 20, 2024

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-7592 * https://github.com/python/cpython/pull/123075 * https://github.com/python/cpython/issues/123067

1 0

[CVE-2024-6923] Email header injection due to unquoted newlines
by Seth Larson Aug. 1, 2024

Aug. 1, 2024

There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. Please see the linked CVE for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-6923 * https://github.com/python/cpython/pull/122233 * https://github.com/python/cpython/issues/121650

1 0