Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                          CERT-Renater

                Note d'Information No. 2025/VULN065

_____________________________________________________________________

DATE                : 04/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython. 

===================================================================== 
https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
_____________________________________________________________________ 


[CVE-2025-0938] URL parser allowed square brackets in domain names

Seth Larson


There is a new MEDIUM severity vulnerability affecting CPython.

The Python standard library functions urllib.parse.urlsplit and
urlparse accepted domain names that included square brackets which
isn't valid according to RFC 3986. Square brackets are only meant to
be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs.
This could result in differential parsing across the Python URL parser
and other specification-compliant URL parsers.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-0938
    https://github.com/python/cpython/pull/129418

 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================