[Git][security-tracker-team/security-tracker][master] python2.7: associate past python3.x CVEs to python2.7 + buster triage

Fri Apr 14 13:48:15 BST 2023


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fb0c9868 by Sylvain Beucler at 2023-04-14T14:45:32+02:00
python2.7: associate past python3.x CVEs to python2.7 + buster triage

See https://lists.debian.org/debian-lts/2023/04/msg00019.html for context

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17992,6 +17992,7 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before v3.11 al
 	- python3.9 <removed>
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
+	- python2.7 <removed>
 	NOTE: https://pointernull.com/security/python-url-parse-problem.html
 	NOTE: https://github.com/python/cpython/pull/99421
 	NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch)
@@ -35306,6 +35307,8 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <postponed> (Minor issue; fix along with next DLA)
+	- python2.7 <removed>
+	[buster] - python2.7 <postponed> (Minor issue, DoS, fix along with next DLA)
 	NOTE: https://github.com/python/cpython/issues/98433
 	NOTE: https://github.com/python/cpython/pull/99092
 	NOTE: https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 (v3.11.1)
@@ -43979,6 +43982,7 @@ CVE-2022-42919 (Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux all
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <not-affected> (Vulnerable functionality backported later in 3.7.8)
+	- python2.7 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/python/cpython/issues/97514
 	NOTE: https://github.com/python/cpython/commit/4686d77a04570a663164c03193d9def23c89b122 (3.11-branch)
 	NOTE: https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2 (3.10-branch)
@@ -58589,6 +58593,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha
 	- python3.10 3.10.9-1 (unimportant)
 	- python3.9 <removed> (unimportant)
 	- python3.7 <removed>
+	- python2.7 <not-affected> (Vulnerable code introduced later)
 	- pysha3 1.0.2-5 (bug #1023030)
 	- pypy3 7.3.9+dfsg-5
 	[buster] - pypy3 <not-affected> (Vulnerable code not present before we switch to the 3.6 branch in 7.1.1+dfsg-1)
@@ -89881,6 +89886,7 @@ CVE-2022-26488 (In Python before 3.10.3 on Windows, local users can gain privile
 	- python3.9 <not-affected> (Windows-specific)
 	- python3.7 <not-affected> (Windows-specific)
 	- python3.5 <not-affected> (Windows-specific)
+	- python2.7 <not-affected> (Windows-specific)
 CVE-2022-26487
 	REJECTED
 CVE-2021-46704 (In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to  ...)
@@ -97482,6 +97488,7 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
 	- python3.5 <removed>
 	[stretch] - python3.5 <postponed> (Minor issue; regressions reports)
 	- python3.4 <removed>
+	- python2.7 <removed>
 	NOTE: https://bugs.python.org/issue43882
 	NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
 	NOTE: Followup for 3.10.x: https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705 (v3.10.0b2)
@@ -125328,6 +125335,8 @@ CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response i
 	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python3.4 <removed>
+	- python2.7 <removed>
+	[buster] - python2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://bugs.python.org/issue44022
 	NOTE: https://github.com/python/cpython/pull/25916
 	NOTE: https://github.com/python/cpython/pull/26503
@@ -126535,6 +126544,8 @@ CVE-2021-3733 (There's a flaw in urllib's AbstractBasicAuthHandler class. An att
 	- python3.7 <removed>
 	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
+	- python2.7 <removed>
+	[buster] - python2.7 <postponed> (Minor issue, ReDoS)
 	NOTE: https://bugs.python.org/issue43075
 	NOTE: https://github.com/python/cpython/pull/24391
 	NOTE: https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)
@@ -151579,6 +151590,7 @@ CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading
 	[experimental] - python3.9 3.9.5-1
 	- python3.9 3.9.7-1 (bug #989195)
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
+	- python2.7 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.python.org/issue36384#msg392423
 	NOTE: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1)
 	NOTE: https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5)
@@ -154181,6 +154193,7 @@ CVE-2021-28861 (** DISPUTED ** Python 3.x through 3.10 has an open redirection v
 	- python3.10 3.10.6-1 (unimportant)
 	- python3.9 <removed> (unimportant)
 	- python3.7 <removed> (unimportant)
+	- python2.7 <removed> (unimportant)
 	NOTE: https://bugs.python.org/issue43223
 	NOTE: https://github.com/python/cpython/pull/93879
 	NOTE: https://github.com/python/cpython/commit/e2e8847bf52f4a81490653c6d13b7e3821b2c2be (v3.11.0b4)
@@ -189266,6 +189279,7 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p
 	- python3.9 <removed> (unimportant)
 	- python3.8 <removed> (unimportant)
 	- python3.7 <removed> (unimportant)
+	- python2.7 <removed> (unimportant)
 	NOTE: https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html
 	NOTE: https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8 (master)
 	NOTE: https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 (master)
@@ -192832,6 +192846,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.
 	- python3.7 <removed>
 	[buster] - python3.7 3.7.3-2+deb10u3
 	- python3.5 <removed>
+	- python2.7 <removed>
 	NOTE: https://bugs.python.org/issue39603
 	NOTE: https://python-security.readthedocs.io/vuln/http-header-injection-method.html
 	NOTE: https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e (master)
@@ -231020,6 +231035,8 @@ CVE-2020-10735 (A flaw was found in python. In algorithms with quadratic time co
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	[buster] - python3.7 <postponed> (Minor issue, CPU DoS)
+	- python2.7 <removed>
+	[buster] - python2.7 <ignored> (Minor issue, CPU DoS, intrusive backport)
 	NOTE: https://github.com/python/cpython/issues/95778
 	NOTE: https://github.com/python/cpython/pull/96499
 	NOTE: https://github.com/python/cpython/commit/f8b71da9aac6ea74808dcdd0cc266e705431356b (v3.11.0rc2)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb0c9868f5bb6a7c5457f397cdfb603d629ef0c3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb0c9868f5bb6a7c5457f397cdfb603d629ef0c3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230414/de5ff6c5/attachment.htm>
