Messages by Thread
-
[Security-announce][CVE-2026-8328] FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
Seth Larson
-
[Security-announce][CVE-2026-7210] The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Stan Ulbrych via Security-announce
-
[Security-announce][CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs
Seth Larson
-
[Security-announce][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation
Seth Larson
-
[Security-announce][CVE-2026-6019] BaseCookie.js_output() does not neutralize characters in cookie value embedded in JS
Seth Larson
-
[Security-announce][CVE-2026-3298] Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes
Seth Larson
-
[Security-announce][CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives
Seth Larson
-
[Security-announce][CVE-2026-5713] Out-of-bounds read/write during remote debugging when connecting to malicious target
Seth Larson
-
[Security-announce][CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
Seth Larson
-
[Security-announce][CVE-2026-6100] Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
Seth Larson
-
[Security-announce]Title: [CVE-2026-3446] Base64 decoding stops at first padded quad by default
Seth Larson
-
[Security-announce][CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF
Seth Larson
-
[Security-announce][CVE-2026-5271] Python install manager script aliases search path hijack
Steve Dower
-
[Security-announce][CVE-2026-4519] webbrowser.open() API allows leading dashes
Seth Larson
-
[Security-announce][CVE-2026-3479] pkgutil.get_data does not enforce documented restrictions
Stan Ulbrych via Security-announce
-
[Security-announce][CVE-2026-4224] Stack overflow parsing XML with deeply nested DTD content models
Stan Ulbrych via Security-announce
-
[Security-announce][CVE-2026-3644] Incomplete control character validation in http.cookies
Stan Ulbrych via Security-announce
-
[Security-announce][CVE-2025-13462]: tarfile: Skip DIRTYPE normalization during GNU long name and link handling
Seth Larson
-
[Security-announce][CVE-2026-2297] SourcelessFileLoader does not use io.open_code()
Seth Larson
-
[Security-announce][CVE-2026-1703] Limited path traversal when installing wheel archives
Seth Larson
-
[Security-announce][CVE-2026-1299] email BytesGenerator header injection due to unquoted newlines
Seth Larson
-
[Security-announce][CVE-2025-12781] base64.b64decode() always accepts "+/" characters, despite setting altchars
Seth Larson
-
[Security-announce][CVE-2026-0672] Header injection in http.cookies.Morsel
Seth Larson
-
[Security-announce][CVE-2025-15367] POP3 command injection in user-controlled commands
Seth Larson
-
[Security-announce][CVE-2025-15366] IMAP command injection in user-controlled commands
Seth Larson
-
[Security-announce][CVE-2025-15282] Header injection via newlines in data URL mediatype
Seth Larson
-
[Security-announce]Title: [CVE-2026-0865] wsgiref.headers.Headers allows header newline injection
Seth Larson
-
[Security-announce][CVE-2025-11468] Folding email comments of unfoldable characters doesn't preserve parenthesis
Seth Larson
-
[Security-announce][CVE-2025-12084] Quadratic complexity in node ID cache clearing
Seth Larson
-
[Security-announce][CVE-2025-13836] Excessive read buffering DoS in http.client
Seth Larson
-
[Security-announce][CVE-2025-13837] Out-of-memory when loading Plist
Seth Larson
-
[Security-announce][CVE-2025-6075] Quadratic complexity in os.path.expandvars() with user-controlled template
Seth Larson
-
[Security-announce][CVE-2025-8291] ZIP64 End of Central Directory (EOCD) Locator record offset not checked
Seth Larson
-
[Security-announce][CVE-2025-8869] Fallback tar extraction in pip doesn't check symbolic links point to extraction directory
Seth Larson
-
[Security-announce]New phishing campaign against PyPI is ongoing
Seth Larson
-
[Security-announce]Windows code signing certificates for Python 3.12.8, 3.13.1 revoked
Seth Larson
-
[Security-announce][CVE-2025-8194] Tarfile infinite loop during parsing with negative member offset
Seth Larson
-
[Security-announce]PyPI Users Email Phishing Attack
Seth Larson
-
[Security-announce][CVE-2025-6069] HTMLParser quadratic complexity when processing malformed inputs
Seth Larson
-
[Security-announce]Multiple CVEs (1 CRITICAL, 3 HIGH, 1 MODERATE) affecting the tarfile module
Seth Larson
-
[Security-announce][CVE-2025-4516] Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace")
Seth Larson
-
[Security-announce][CVE-2025-1795] Mishandling of comma during folding and unicode-encoding of email headers
Seth Larson
-
[Security-announce][CVE-2024-3220] Default mimetype known files writeable on Windows
Seth Larson
-
[Security-announce][CVE-2025-0938] URL parser allowed square brackets in domain names
Seth Larson
-
[Security-announce][CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines()
Seth Larson
-
[Security-announce][CVE-2024-11168] Improper validation of IPv6 and IPvFuture addresses
Seth Larson
-
[Security-announce][CVE-2024-9287] Virtual environment (venv) activation scripts don't quote paths
Seth Larson
-
[Security-sig] Antw: [Security-announce][CVE-2024-6232] Regular-expression DoS when parsing TarFile headers (Abwesenheit)
Daniel Lohmann
-
[Security-announce][CVE-2024-6232] Regular-expression DoS when parsing TarFile headers
Seth Larson
-
[Security-announce][CVE-2024-8088] Infinite loop when iterating over zip archive entry names
Seth Larson
-
[Security-announce][CVE-2024-7592] Quadratic complexity parsing cookies with backslashes
Seth Larson
-
[Security-announce][CVE-2024-6923] Email header injection due to unquoted newlines
Seth Larson
-
[Security-announce] [CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection
Seth Larson
-
[Security-announce][CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier
Seth Larson
-
[Security-announce][CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges
Seth Larson
-
[Security-announce][CVE-2024-0397] Memory race condition in ssl.SSLContext certificate store methods
Seth Larson
-
[Security-announce]Re: [CVE-2024-4030] tempfile.mkdtemp() may be readable and writeable by all users on Windows
Steve Dower
-
[Security-announce][CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
Ee Durbin
-
[Security-announce][CVE-2024-0450] Quoted zip-bomb protection for zipfile
Ee Durbin
-
[Security-sig] Re: [Security-announce]Incident Report: Malicious takeover of ctx project on PyPI
Skip Montanaro
-
[Security-sig] [CVE-2015-20107] Shell injection in mailcap module
Steve Dower
-
[Security-sig] [CVE-2022-26488] Escalation of privilege via Windows installer
Steve Dower
-
[Security-sig] Answers to your Questions about PrestaShop
Dhriti Jones
-
[Security-sig] Get Best Tips And Tricks To Solve Life Issues
Sandra Parson via Security-SIG
-
[Security-sig] 374252 Python Invalid Search Path Vulnerability
Prashanth Reddy
-
[Security-sig] Which CVSS Severity and Metrics version should be used? 2 or 3?
Victor Stinner
-
[Security-sig] PSRT's page link is broken on the description
Felipe Rodrigues
-
[Security-sig] Re: [Security-announce]CVE-2020-8315: Windows 7 DLL hijack
Marlon Luis Petry
-
[Security-sig] PEP 458: Secure transport independent download integrity for PyPI packages
Sumana Harihareswara
-
[Security-sig] Table of Python Vulnerabilities updated
Victor Stinner
-
[Security-sig] Move https://python-security.readthedocs.io/ to python.org?
Victor Stinner
-
[Security-sig] Script for testing Python vulnerabilities
Victor Stinner
-
[Security-sig] python-security.readthedocs.io updated
Victor Stinner
-
[Security-sig] Subscriptions to Security-announce
Victor Stinner
-
[Security-sig] CVE-2018-1000117: Buffer overflow vulnerability in os.symlink on Windows
Steve Dower
-
[Security-sig] Backport critical bugfixes?
Victor Stinner
-
[Security-sig] Fwd: List Settings Question
Steve Barnes
-
[Security-sig] PEP 551: Security transparency in the Python runtime
Steve Dower
-
[Security-sig] All known security vunerabilities have been fixed in all branches
Victor Stinner
-
[Security-sig] Vulnerability table updated for Python 3.6.2
Victor Stinner
-
[Security-sig] Python Vulnerabilities: Vulnerable Python versions added
Victor Stinner
-
[Security-sig] New report of Python vulnerabilities
Victor Stinner
-
[Security-sig] Archives (.tar or .zip) with absolute paths
Victor Stinner
-
[Security-sig] Patching ssl.py to workaround ssl lack of relocability
David Cournapeau
-
[Security-sig] 3.3 and 3.4 branches not well maintained
Victor Stinner
-
[Security-sig] HTML page of Python security vulnerabilities
Victor Stinner
-
[Security-sig] Unified TLS API for Python 4: This Time It's Personal
Cory Benfield
-
[Security-sig] email & phones
Ethan Furman
-
[Security-sig] Unified TLS API for Python: Draft 3
Cory Benfield
-
[Security-sig] Unified TLS API for Python: Round 2
Cory Benfield