Mailman 3 - Security-SIG

Antw: [Security-announce][CVE-2024-6232] Regular-expression DoS when parsing TarFile headers (Abwesenheit)
by Daniel Lohmann Sept. 3, 2024

Sept. 3, 2024

Sehr geehrte Damen und Herren, Danke für Ihre Nachricht. Ich bin derzeit nicht erreichbar und werde Ihre Nachricht ab dem 11.9.24 beantworten können. mit freundlichen Grüßen Daniel Lohmann --- Prof. Dr.-Ing. Daniel Lohmann Professur für Architekturgeschichte und Entwerfen Institut für Baugeschichte und Denkmalpflege Koordinator des Master-Studiengangs Fakultät für Architektur T: +49 (0) 221 8275 2828 F: +49 (0) 221 8275 2815 daniel.lohmann(a)th-koeln.de TH Köln - Technische Hochschule … [View More]

1 0

Re: [Security-announce][CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
by Michał Górny April 6, 2024

April 6, 2024

Hello, On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote: > An issue was found in the CPython `tempfile.TemporaryDirectory` class > affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The fix for this seems to be present in 3.12.1 and 3.11.8: $ git describe --contains 6ceb8aeda504b079fef7a57b8d81472f15cdd9a5 v3.12.1~4 $ git describe --contains 5585334d772b253a01a6730e8202ffb1607c3d25 v3.11.8~304 -- Best regards, Michał Górny

1 0

Re: [Security-announce][CVE-2024-0450] Quoted zip-bomb protection for zipfile
by Michał Górny April 6, 2024

April 6, 2024

Hello, I am a bit confused about this. On Tue, 2024-03-19 at 11:10 -0400, Ee Durbin wrote: > An issue was found in the CPython `zipfile` module affecting versions > 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. It seems that 3.11.8 and 3.12.2 already contained a patch for this: $ git describe --contains a956e510f6336d5ae111ba429a61c3ade30a7549 v3.11.8~173 $ git describe --contains fa181fcf2156f703347b03a3b1966ce47be8ab3b v3.12.2~196 > The zipfile module is vulnerable to “… [View More]

1 0

[CVE-2015-20107] Shell injection in mailcap module
by Steve Dower Aug. 25, 2022

Aug. 25, 2022

CVE-2015-20107 has been assigned for an issue previously reported against the mailcap module. The mailcap module reads registered commands on Linux systems to determine how to launch certain file types. The Python module does not add additional escape characters to these commands, which may allow an attacker to provide file paths or parameters that include additional shell commands. These may be executed during mailcap.find_match() depending on the system's configuration. All users of … [View More]

2 1

Re: [Security-announce]Incident Report: Malicious takeover of ctx project on PyPI
by Skip Montanaro May 31, 2022

May 31, 2022

> Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern. Ee, Thanks for the quick action by the Python infrastructure and security teams. I don't normally dig into such things, but was curious. I found the incident report clear, and since the exploit was very simple and written in Python, I actually understood it. (Many hacks these days seem obscure, especially stuff involving buffer overruns or use-after-free.) But I digress. … [View More]

3 2

[CVE-2022-26488] Escalation of privilege via Windows installer
by Steve Dower March 7, 2022

March 7, 2022

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython: * 3.11.0a6 and earlier * 3.10.2 and earlier * 3.9.10 and earlier * 3.8.12 and earlier * 3.7.12 and earlier * All end-of-life releases of 3.5 and 3.6 The vulnerability exists when installed for all users with the "Add Python to PATH" option selected. A local user without administrative permissions can trigger a repair operation of this PATH option to add incorrect … [View More]

1 0

Answers to your Questions about PrestaShop
by Dhriti Jones Sept. 7, 2021

Sept. 7, 2021

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industrys standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. https://bit.ly/2Vn20IV

4 3

PEP 551: Security transparency in the Python runtime
by Steve Dower July 9, 2021

July 9, 2021

Hi security-sig, Those of you who were at the PyCon US language summit this year (or who saw the coverage at https://lwn.net/Articles/723823/) may recall that I talked briefly about the ways Python is used by attackers to gain and/or retain access to systems on local networks. This comes out of work we've been doing at Microsoft to balance the flexibility of scripting languages with their usefulness to malicious users. PowerShell in particular has had a lot of work done, and we've been … [View More]

8 23

Re: 374252 Python Invalid Search Path Vulnerability
by Victor Stinner July 9, 2021

July 9, 2021

Hi, Python 3.6.12 includes a fix for this issue: https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html The commit in the 3.6 branch: https://github.com/python/cpython/commit/46cbf6148a46883110883488d3e9febbe4… Victor On Thu, Jun 17, 2021 at 10:51 AM Prashanth Reddy <reddy.prashanth809(a)gmail.com> wrote: > > Hi Victor, > > https://mail.python.org/archives/list/security-announce@python.org/thread/C… > > > Short description: > > Python … [View More]Invalid Search Path Vulnerability > > > CVE-2020-15523 is an invalid search path in Python 3.6 and later on > Windows. It occurs during Py_Initialize() when the runtime attempts to > pre-load python3.dll. If Py_SetPath() has been called, the expected > location is not set, and locations elsewhere on the user's system will > be searched. > > This issue is not triggered when running python.exe. It only applies > when CPython has been embedded in another application. > > Issue: https://bugs.python.org/issue29778 Patch: > https://github.com/python/cpython/pull/21297 > > The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source > only), 3.6.12 (source only) > > Other than applying the patch, applications may mitigate the > vulnerability by explicitly calling LoadLibrary() on their copy of > python3.dll before calling Py_Initialize(). Even with the patch > applied, applications should include a copy of python3.dll alongside > their main Python DLL. > > Thanks to Eric Gantumur for detecting and reporting the issue to the > Python Security Response Team. > > Questions to security-sig(a)python.org or security(a)python.org. > > Cheers, Steve Dower Python Security Response Team > > > > > > > > > > Python Invalid Search Path Vulnerability > > > Python Invalid Search Path Vulnerability > > On Thu, Jun 17, 2021 at 3:29 AM Victor Stinner <vstinner(a)python.org> wrote: > > > > Hi, > > > > https://bugs.python.org/issue374252 is not a valid bug number. Which > > one do you mean? > > > > Victor > > > > On Wed, Jun 16, 2021 at 6:10 PM Prashanth Reddy > > <reddy.prashanth809(a)gmail.com> wrote: > > > > > > Hi Team, > > > > > > Can you help you how to resolve the issue. > > > > > > We are using python 3.6.5 version. > > > > > > Regards, > > > Prashanth > > > _______________________________________________ > > > Security-SIG mailing list -- security-sig(a)python.org > > > To unsubscribe send an email to security-sig-leave(a)python.org > > > https://mail.python.org/mailman3/lists/security-sig.python.org/ > > > Member address: vstinner(a)python.org > > > > > > > > -- > > Night gathers, and now my watch begins. It shall not end until my death. -- Night gathers, and now my watch begins. It shall not end until my death. [View Less]

2 1

Get Best Tips And Tricks To Solve Life Issues
by Sandra Parson July 2, 2021

July 2, 2021

Do you want to <a href="https://sites.google.com/view/vashikaranamantra/husband-vashikaran-mantra">husband vashikaran mantra</a>? Did your husband not listen to you and start to deceive you? Is your spouse involved in extramarital affairs and trying to divorce? If your husband doesn't love you, can't you not care? If your husband has brought you difficulties and you are not attractive to him, you don’t want him, or you need an imaginable solution to get back into your life, then the … [View More]husband vashikaran mantra is the best And the most effective method. Vashikaran is the most powerful force that can meet the needs of your life. But first, you must have a correct understanding of the Vashikaran spell of how to be a husband. If we talk about vashikaran then what is the husband vashikaran mantra, and for the husband, what is vashikaran? Therefore, this article is only for your understanding of these issues. In addition, the husband vashikaran mantra is a big problem in solving love problems in life. In addition, the Durga mantra of the husband vashikaran mantra is no less than a magnet, and you can attract iron in this world. So in the same situation. But sometimes after marriage, the wife has to encounter difficulties in the married life because of the husband. If you also encounter this problem and want to know how to recite your husband vashikaran mantra in Hindi at home, then you have come to the right place where you can get the help of powerful mantras to attract your husband. Our vashikaran astrologer provides you with the most promising mantras, husband vashikaran mantra, husband’s vashikaran advice, and Lal Kitab’s remedies so that he can get rid of his spouse’s life, and even advise him on how to control him in Hindi . Are you looking for astrology and vashikaran advice for your husband vashikaran mantra, so controlling your husband’s Lal kitab therapy is a cheaper and easier way to put your husband under your control? After marriage, some wives acted disrespectfully, and some even faced physical violence from their husbands. Your husband doesn't understand how you feel; they don't even want to see their wives with them, because this affects the male self in their society. But don't worry about it now, because here you can get advice on the Hindi husband vashikaran mantra from our astrologer. Our astrologer will give you some simple and direct advice and husband vashikaran mantra to control the husband you can use at home under the guidance of our astrologer. [View Less]

1 0