[Git][security-tracker-team/security-tracker][master] Triage of Python bugs that affect pypy3

Stefano Rivera (@stefanor) stefanor at debian.org
Wed May 1 19:56:23 BST 2024 


Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9efceb85 by Stefano Rivera at 2024-05-01T14:55:54-04:00
Triage of Python bugs that affect pypy3

Applied the same triage as was already applied to the relevant cPythons

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13409,6 +13409,7 @@ CVE-2024-1144 (Improper access control vulnerability in Devklan's Alma Blog that
 	NOT-FOR-US: Devklan's Alma Blog
 CVE-2024-0450 (An issue was found in the CPython `zipfile` module affecting versions  ...)
 	{DLA-3772-1 DLA-3771-1}
+	- pypy3 7.3.16+dfsg-1
 	- python3.12 3.12.2-1
 	- python3.11 3.11.8-1 (bug #1070133)
 	- python3.10 <removed>
@@ -13433,6 +13434,10 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2)
+	- pypy3 7.3.13+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/99930
 	NOTE: https://github.com/python/cpython/issues/91133
 	NOTE: https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5 (v3.12.1)
@@ -53512,6 +53517,7 @@ CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Pyth
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 2.7.18-8+deb11u1
+	- pypy3 7.3.4~rc1+dfsg-1
 	NOTE: https://bugs.python.org/issue40791
 	NOTE: https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781 (v3.9.0b2)
 	NOTE: https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb (v3.9.1rc1)
@@ -53524,6 +53530,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 2.7.18-8+deb11u1
+	- pypy3 7.3.4~rc1+dfsg-1
 	NOTE: https://bugs.python.org/issue42051
 	NOTE: https://github.com/python/cpython/issues/86217
 	NOTE: https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2)
@@ -53536,6 +53543,7 @@ CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable t
 	- python3.9 3.9.1~rc1-1
 	- python3.7 <removed>
 	- python2.7 <not-affected> (In 2.7, the plistlib parser only supports XML and not the affected binary format)
+	- pypy3 7.3.4~rc1+dfsg-1
 	NOTE: https://bugs.python.org/issue42103
 	NOTE: https://github.com/python/cpython/issues/86269
 	NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2)
@@ -79980,6 +79988,10 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	[buster] - python2.7 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
+	- pypy3 <unfixed>
+	[bookworm] - pypy3 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
+	[bullseye] - pypy3 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
+	[buster] - pypy3 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
 	NOTE: https://github.com/python/cpython/issues/102988
 CVE-2023-27042 (Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/Se ...)
 	NOT-FOR-US: Tenda
@@ -88163,6 +88175,10 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
 	[buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
 	- python2.7 <removed>
 	[bullseye] - python2.7 2.7.18-8+deb11u1
+	- pypy3 <unfixed>
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://pointernull.com/security/python-url-parse-problem.html
 	NOTE: https://github.com/python/cpython/pull/99421
 	NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch)
@@ -105870,6 +105886,9 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary
 	- python3.7 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.11+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/98433
 	NOTE: https://github.com/python/cpython/pull/99092
 	NOTE: https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 (v3.11.1)
@@ -114676,6 +114695,9 @@ CVE-2022-42919 (Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux all
 	- python3.7 <removed>
 	[buster] - python3.7 <not-affected> (Vulnerable functionality backported later in 3.7.8)
 	- python2.7 <not-affected> (Vulnerable code introduced later)
+	- pypy3 7.3.11+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/97514
 	NOTE: https://github.com/python/cpython/commit/4686d77a04570a663164c03193d9def23c89b122 (3.11-branch)
 	NOTE: https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2 (3.10-branch)
@@ -168587,6 +168609,9 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
 	- python3.4 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 2.7.18-8+deb11u1
+	- pypy3 7.3.6~rc2+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43882
 	NOTE: Regressions reported for django, boto-core and cloud-init
 	NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
@@ -175911,6 +175936,9 @@ CVE-2021-4189 (A flaw was found in Python, specifically in the FTP (File Transfe
 	[experimental] - python2.7 2.7.18-13.1~exp1
 	- python2.7 2.7.18-13.1
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+	- pypy3 7.3.8~rc1+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43285
 	NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
 	NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
@@ -196605,6 +196633,9 @@ CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response i
 	- python3.4 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.8~rc1+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue44022
 	NOTE: https://github.com/python/cpython/pull/25916
 	NOTE: https://github.com/python/cpython/pull/26503
@@ -197813,6 +197844,9 @@ CVE-2021-3733 (There's a flaw in urllib's AbstractBasicAuthHandler class. An att
 	- python3.5 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.8~rc1+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43075
 	NOTE: https://github.com/python/cpython/pull/24391
 	NOTE: https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1 (master)
@@ -223022,6 +223056,9 @@ CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading
 	- python3.9 3.9.7-1 (bug #989195)
 	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python2.7 <not-affected> (Vulnerable code introduced later)
+	- pypy3 7.3.8~rc1+dfsg-1
+	[buster] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.python.org/issue36384#msg392423
 	NOTE: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1)
 	NOTE: https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5)
@@ -225635,6 +225672,7 @@ CVE-2021-28861 (Python 3.x through 3.10 has an open redirection vulnerability in
 	- python3.9 <removed> (unimportant)
 	- python3.7 <removed> (unimportant)
 	- python2.7 <removed> (unimportant)
+	- pypy3 <unfixed> (unimportant)
 	NOTE: https://bugs.python.org/issue43223
 	NOTE: https://github.com/python/cpython/pull/93879
 	NOTE: https://github.com/python/cpython/commit/e2e8847bf52f4a81490653c6d13b7e3821b2c2be (v3.11.0b4)
@@ -260782,6 +260820,7 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p
 	- python3.8 <removed> (unimportant)
 	- python3.7 <removed> (unimportant)
 	- python2.7 <removed> (unimportant)
+	- pypy3 7.3.4~rc1+dfsg-1
 	NOTE: https://python-security.readthedocs.io/vuln/cjk-codec-download-eval.html
 	NOTE: https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8 (master)
 	NOTE: https://github.com/python/cpython/commit/a8bf44d04915f7366d9f8dfbf84822ac37a4bab3 (master)
@@ -264353,6 +264392,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.
 	- python3.5 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- pypy3 7.3.3~rc1+dfsg-1
 	NOTE: https://bugs.python.org/issue39603
 	NOTE: https://python-security.readthedocs.io/vuln/http-header-injection-method.html
 	NOTE: https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e (master)
@@ -287789,6 +287829,7 @@ CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able t
 	[buster] - python3.7 3.7.3-2+deb10u2
 	- python3.5 <removed> (low)
 	- python2.7 2.7.18-2 (low; bug #970099)
+	- pypy3 7.3.3~rc1+dfsg-1
 	NOTE: https://bugs.python.org/issue39017
 	NOTE: https://github.com/python/cpython/commit/5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4 (master)
 	NOTE: https://github.com/python/cpython/commit/f3232294ee695492f43d424cc6969d018d49861d (3.9-branch)
@@ -302778,6 +302819,9 @@ CVE-2020-10735 (A flaw was found in python. In algorithms with quadratic time co
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	[buster] - python2.7 <ignored> (Minor issue, CPU DoS, intrusive backport)
+	- pypy3 7.3.10~rc3+dfsg-1
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/95778
 	NOTE: https://github.com/python/cpython/pull/96499
 	NOTE: https://github.com/python/cpython/commit/f8b71da9aac6ea74808dcdd0cc266e705431356b (v3.11.0rc2)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9efceb850dfbaa1fcce10b3451ed1550588b7973

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9efceb850dfbaa1fcce10b3451ed1550588b7973
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240501/7575376e/attachment.htm>

More information about the debian-security-tracker-commits mailing list