This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title
release blocker
Upgrade to zlib v1.2.12 in CPython binary releases has PR
deferred blocker
[security] http.server: Open Redirection if the URL path starts with // has patch has PR
critical
shutil copy* unsafe on POSIX - they preserve setuid/setgit bits has patch
XML vulnerabilities in Python has patch has PR
high
socket: Buffer overrun while reading unterminated AF_UNIX addresses has patch
Race conditions in shutil.copy, shutil.copy2 and shutil.copyfile
tarfile: Traversal attack vulnerability has patch has PR
The danger of PyType_FromSpec()
Shell injection via TIX_LIBRARY when using tkinter.tix has patch
urlparse of urllib returns wrong hostname has patch has PR
normal
sysmodule.c: realpath() is unsafe has patch
Security hole in wsgiref.headers.Headers has patch has PR
Readline module loading in interactive mode
sys.path[0] security issues has patch
Calling getdents()/readdir64() repeatedly while closing descriptors provides unexpected behaviour.
[CVE-2015-2104] Urlparse insufficient validation leads to open redirect
Avoid entity expansion attacks in Element Tree has patch
load_verify_locations(cadata) should load AUX ASN.1 to supported trusted certs
Make SSL suppress_ragged_eofs default more secure has patch has PR
Hostname validation is False by default in imaplib
wsgiref HTTP Response Header Injection: CRLF Injection has PR
Multiple vulnerabilities in BaseHTTPRequestHandler enable HTTP response splitting attacks has patch
[Security] tarfile: Add absolute_path option to tarfile, disabled by default
Race condition in shutil.copyfile(): source file replaced file during copy has PR
Potential DoS Attack when Parsing Email with Huge Number of MIME Parts
Windows Installer fails with error 0x80091007 when trying to install debugging symbols
xml.sax parser validation sometimes fails when obtaining DTDs from https sites
Email Header Injection Protection Bypass
pathlib.(Pure)WindowsPaths can compare equal but refer to different files
Review usage of environment variables in the stdlib
netrc module validates file mode only for /home/user/.netrc
crypt function not hashing properly on Mac (uses a specific salt)
subprocess.Popen on a Windows batch file always acts as if shell=True has PR
urllib may leak sensitive HTTP headers to a third-party web site has PR
subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape has PR
smtplib mixes RFC821 and RFC822 addresses
LWPCookieJar.save() creates *.lwp file in 644 mode
Get the test suite passing with clang Memory Sanitizer enabled has PR
[security] directory traversal in tempfile prefix has patch has PR
tar symlink
urlparse library detecting wrong hostname leads to open redirect vulnerability
Documentation should warn about code injection from current working directory
[Security][Windows] webbrowser: WindowsDefault uses os.startfile() and so can be abused to run arbitrary commands has PR
[Security] logging.config should not use eval()
http.server: Document explicitly that symbolic links are followed
socket.inet_aton parsing issue on some libc versions
Early auditing broken
Environment variable PYTHONUSERBASE is not set during customized Python Installation
Many command execution functions are not raising auditing events has PR
Clear audit hooks after destructors has patch has PR
  1.. 50 out of 70 next >>  
Download as CSV
Sort on: Descending:
Descending:
Group on: Descending:
Descending: