QID 671062

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing.
Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
security fix(es): library/glob.html in the python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results.
Note: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected.
This issue is not a python implementation bug, and there are no reports that nmr researchers were specifically relying on library/glob.html.
In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the unix shell," one might have incorrectly inferred that the sorting that occurs in a unix shell also occurred for glob.glob.
There is a workaround in newer versions of willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.(cve-2019-17514) the documentation xml-rpc server in python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has xss via the server_title field.
This occurs in lib/docxmlrpcserver.py in python 2.x, and in lib/xmlrpc/server.py in python 3.x.
If set_server_title is called with untrusted input, arbitrary javascript can be delivered to clients that visit the http url for this server.(cve-2019-16935) an issue was discovered in urllib2 in python 2.x through 2.7.16 and urllib in python 3.x through 3.7.3.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

An arbitrary attacker may exploit this vulnerability to compromise the system.