Hi, Minor update on http://python-security.readthedocs.io/vulnerabilities.html : I enhanced render_doc.py script to download issue title, author and date from bugs.python.org. It allows to remove more lines from vulnerabilities.yaml, so each YAML entry is now shorter and human mistakes are less likely! Note: Sadly, it seems like Roundup XML-RPC API requires to pass a user + password in the URL to get the author of the first message of an issue, whereas this information is public if you look at the HTML page. Victor 2017-02-22 1:11 GMT+01:00 Victor Stinner <victor.stinner@gmail.com>:
I completed my list: the 30 CVE are now listed on my page! Well, except of two special cases:
* CVE-2016-1494: vulnerability in the 3rd party module "python-rsa" * CVE-2015-5652: sys.path on Windows -- not fixed
See also my notes on sys.path: http://python-security.readthedocs.io/#misc
The last major vulnerability not documented yet is cookielib which has a long story. I don't know yet how to summarize it as individual "vulnerabilities".
https://hackerone.com/reports/26647
https://bugs.python.org/issue16611 #16611: BaseCookie now parses 'secure' and 'httponly' flags. https://bugs.python.org/issue22796 Regression in Python 3.2 cookie parsing https://bugs.python.org/issue25228 Support for httponly/secure cookies reintroduced lax parsing behavior https://code.djangoproject.com/ticket/26158 cookie parsing fails with python 3.x if request contains unnamed cookie
Victor