%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
python3
Version
3.10.20
Type
library
Description
The Python Programming Language
Licenses
PSF-2.0
PURL
-
CPE
cpe:2.3:*:python:python:3.10.20:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
configure.ac, setup.py: do not add a curses include path from
Alexander Kanavin <alex.kanavin@gmail.com>
2
python3: use cc_basename to replace CC for checking compiler
Changqing Li <changqing.li@windriver.com>
3
test_locale.py: correct the test output format
Mingli Yu <mingli.yu@windriver.com>
4
configure.ac: add CROSSPYTHONPATH into PYTHONPATH for
Ricardo Ribalda <ricardo@ribalda.com>
5
Patch #5
Richard Purdie <richard.purdie@linuxfoundation.org>
6
gh-107811: tarfile: treat overflow in UID/GID as failure to
Petr Viktorin <encukou@gmail.com>
7
Lib/sysconfig.py: use prefix value from build configuration
Alexander Kanavin <alex@linutronix.de>
8
setup.py: Do not detect multiarch paths when cross-compiling
Khem Raj <raj.khem@gmail.com>
9
python3: Fix make race
Richard Purdie <richard.purdie@linuxfoundation.org>
10
python3: Add target and native recipes
Khem Raj <raj.khem@gmail.com>
11
python-config: Revert to using distutils.sysconfig
Tyler Hall <tylerwhall@gmail.com>
12
distutils/sysconfig: append
Alexander Kanavin <alex.kanavin@gmail.com>
13
sysconfig.py: use platlibdir also for purelib
Alexander Kanavin <alex@linutronix.de>
14
Makefile: do not compile .pyc in parallel
Alexander Kanavin <alex.kanavin@gmail.com>
15
_tkinter module needs tk module along with tcl. tk is not yet
Andrei Gherzan <andrei@gherzan.ro>
16
Lib/pty.py: handle stdin I/O errors same way as master I/O
Alexander Kanavin <alex@linutronix.de>
17
Skip failing tests due to load variability on YP AB
Yi Fan Yu <yifan.yu@windriver.com>
18
Do not use the shell version of python-config that was
Alexander Kanavin <alex.kanavin@gmail.com>
19
Avoid shebang overflow on python-config.py
Paulo Neves <ptsneves@gmail.com>
20
Don't search system for headers/libraries
Jeremy Puhlman <jpuhlman@mvista.com>
21
test_storlines: skip due to load variability
Trevor Gamblin <tgamblin@baylibre.com>
22
Lib/cgi.py: Update the script as mentioned in the comment
Mark Hatle <mark.hatle@windriver.com>
23
Use FLAG_REF always for interned strings
Inada Naoki <songofacandy@gmail.com>
24
setup.py: do not report missing dependencies for disabled
Alexander Kanavin <alex.kanavin@gmail.com>
25
bpo-36852: proper detection of mips architecture for soft
Matthias Schoepfer <matthias.schoepfer@ithinx.io>
26
test_ctypes.test_find: skip without tools-sdk
Tim Orling <timothy.t.orling@intel.com>
27
Makefile.pre: use qemu wrapper when gathering profile data
Alexander Kanavin <alex.kanavin@gmail.com>
28
Do not add /usr/lib/termcap to linker flags to avoid host
Alexander Kanavin <alex.kanavin@gmail.com>
Vulnerabilities#
Name
Analysis
Description
Exploitable
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Exploitable
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Exploitable
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
Exploitable
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
Exploitable
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
Exploitable
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.
Exploitable
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.
This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.
The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64
alphabet they are expecting or verify that their application would not be
affected if the b64decode() functions accepted "+" or "/" outside of altchars.
Exploitable
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.