[Security-sig] HTML page of Python security vulnerabilities
Victor Stinner
victor.stinner at gmail.com
Tue Feb 21 19:11:33 EST 2017
I completed my list: the 30 CVE are now listed on my page! Well,
except of two special cases:
* CVE-2016-1494: vulnerability in the 3rd party module "python-rsa"
* CVE-2015-5652: sys.path on Windows -- not fixed
See also my notes on sys.path:
http://python-security.readthedocs.io/#misc
The last major vulnerability not documented yet is cookielib which has
a long story. I don't know yet how to summarize it as individual
"vulnerabilities".
https://hackerone.com/reports/26647
https://bugs.python.org/issue16611
#16611: BaseCookie now parses 'secure' and 'httponly' flags.
https://bugs.python.org/issue22796
Regression in Python 3.2 cookie parsing
https://bugs.python.org/issue25228
Support for httponly/secure cookies reintroduced lax parsing behavior
https://code.djangoproject.com/ticket/26158
cookie parsing fails with python 3.x if request contains unnamed cookie
Victor
More information about the Security-SIG
mailing list