Hi, Minor update on http://python-security.readthedocs.io/vulnerabilities.html : I enhanced render_doc.py script to download issue title, author and date from bugs.python.org. It allows to remove more lines from vulnerabilities.yaml, so each YAML entry is now shorter and human mistakes are less likely!
Note: Sadly, it seems like Roundup XML-RPC API requires to pass a user + password in the URL to get the author of the first message of an issue, whereas this information is public if you look at the HTML page. Victor 2017-02-22 1:11 GMT+01:00 Victor Stinner <victor.stin...@gmail.com>: > I completed my list: the 30 CVE are now listed on my page! Well, > except of two special cases: > > * CVE-2016-1494: vulnerability in the 3rd party module "python-rsa" > * CVE-2015-5652: sys.path on Windows -- not fixed > > See also my notes on sys.path: > http://python-security.readthedocs.io/#misc > > > The last major vulnerability not documented yet is cookielib which has > a long story. I don't know yet how to summarize it as individual > "vulnerabilities". > > https://hackerone.com/reports/26647 > > https://bugs.python.org/issue16611 > #16611: BaseCookie now parses 'secure' and 'httponly' flags. > https://bugs.python.org/issue22796 > Regression in Python 3.2 cookie parsing > https://bugs.python.org/issue25228 > Support for httponly/secure cookies reintroduced lax parsing behavior > https://code.djangoproject.com/ticket/26158 > cookie parsing fails with python 3.x if request contains unnamed cookie > > Victor _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
