Update OSV records from CVE

Author: sethmlarson

advisories/python/PSF-0000-CVE-2026-3644.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.5.0",
+  "id": "PSF-0000-CVE-2026-3644",
+  "aliases": [
+    "CVE-2026-3644"
+  ],
+  "published": "2026-03-16T17:37:31.344Z",
+  "modified": "2026-03-16T18:25:55.021Z",
+  "details": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
+  "affected": [
+    {
+      "ranges": [
+        {
+          "type": "GIT",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "57e88c1cf95e1481b94ae57abe1010469d47a6b4"
+            },
+            {
+              "fixed": "62ceb396fcbe69da1ded3702de586f4072b590dd"
+            },
+            {
+              "fixed": "d16ecc6c3626f0e2cc8f08c309c83934e8a979dd"
+            }
+          ],
+          "repo": "https://github.com/python/cpython"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/python/cpython/issues/145599"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/pull/145600"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": []
+  }
+}

advisories/python/PSF-0000-CVE-2026-4224.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.5.0",
+  "id": "PSF-0000-CVE-2026-4224",
+  "aliases": [
+    "CVE-2026-4224"
+  ],
+  "published": "2026-03-16T17:52:26.639Z",
+  "modified": "2026-03-16T18:21:11.567Z",
+  "details": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.",
+  "affected": [
+    {
+      "ranges": [
+        {
+          "type": "GIT",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "eb0e8be3a7e11b87d198a2c3af1ed0eccf532768"
+            },
+            {
+              "fixed": "196edfb06a7458377d4d0f4b3cd41724c1f3bd4a"
+            },
+            {
+              "fixed": "e0a8a6da90597a924b300debe045cdb4628ee1f3"
+            }
+          ],
+          "repo": "https://github.com/python/cpython"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://github.com/python/cpython/issues/145986"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/pull/145987"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": []
+  }
+}