Detections
Analytics

FreeBSD : Python -- multiple vulnerabilities (050eba46-7638-11ed-820d-080027d3a315)

high Nessus Plugin ID 168474

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 050eba46-7638-11ed-820d-080027d3a315 advisory.

 - Python reports: gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module. gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name. gh-98739: Update bundled libexpat to 2.5.0. gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt.
 Patch by Victor Stinner. (050eba46-7638-11ed-820d-080027d3a315)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://docs.python.org/3/whatsnew/changelog.html#changelog

http://www.nessus.org/u?be659059

Plugin Details

Severity: High

ID: 168474

File Name: freebsd_pkg_050eba46763811ed820d080027d3a315.nasl

Version: 1.3

Type: local

Published: 12/7/2022

Updated: 11/6/2023

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:python310, p-cpe:/a:freebsd:freebsd:python311, p-cpe:/a:freebsd:freebsd:python37, p-cpe:/a:freebsd:freebsd:python38, p-cpe:/a:freebsd:freebsd:python39, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 12/7/2022

Vulnerability Publication Date: 9/28/2022