Certifi 2023.07.22 removes root certificates from e-Tugra from the root store. These are in the process of being removed from Mozillas trust store. e-Tugras root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems.
Certifi 2023.07.22 removes root certificates from e-Tugra from the root store. These are in the process of being removed from Mozillas trust store. e-Tugras root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems.

When gRPC HTTP2 stack raised a header size exceeded error it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged say between a proxy and a backend this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309
When gRPC HTTP2 stack raised a header size exceeded error it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged say between a proxy and a backend this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

When gRPC HTTP2 stack raised a header size exceeded error it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged say between a proxy and a backend this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309
When gRPC HTTP2 stack raised a header size exceeded error it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged say between a proxy and a backend this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/32309

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the settermtitle function(https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.pyL103-L117) under specific conditions. This has been patched in version 8.10.0.  
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the settermtitle function(https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.pyL103-L117) under specific conditions. This has been patched in version 8.10.0.  

IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the settermtitle function(https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.pyL103-L117) under specific conditions. This has been patched in version 8.10.0.  
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the settermtitle function(https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.pyL103-L117) under specific conditions. This has been patched in version 8.10.0.  

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 
When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 

When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 
When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 

When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 
When installing a package from a Mercurial VCS URL  (ie pip install  hg+...) with pip prior to v23.3 the specified Mercurial revision could  be used to inject arbitrary configuration options to the hg clone  call (ie --config). Controlling the Mercurial configuration can modify  how and which repository is installed. This vulnerability does not  affect users who arent installing from Mercurial. 

 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  
 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  

 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  
 Summary  A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message which could lead to a denial of service (DoS) on services using the libraries.  Reporter: ClusterFuzz(https://google.github.io/clusterfuzz/)  Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.  

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesnt treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP that is the responsibility of the user. However it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesnt disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.