SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Python Vendors:   Python.org
(Oracle Issues Fix for Oracle Linux) Python Backtracking Errors Let Remote Authenticated Users Cause the Target System to Crash
SecurityTracker Alert ID:  1042077
SecurityTracker URL:  http://securitytracker.com/id/1042077
CVE Reference:   CVE-2018-1060, CVE-2018-1061   (Links to External Site)
Date:  Nov 12 2018
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Python. A remote authenticated user can cause the target system to crash.

A remote authenticated user can trigger a denial of service condition via backtracking in 'difflib.IS_LINE_JUNK' method in difflib [CVE-2018-1061].

A remote authenticated user can trigger a denial of service condition via backtracking in 'apop()' method in pop3lib [CVE-2018-1060].

Impact:   A remote authenticated user can cause the target system to crash.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-3041.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-3041.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Oct 30 2018 Python Backtracking Errors Let Remote Authenticated Users Cause the Target System to Crash



 Source Message Contents

Subject:  [El-errata] ELSA-2018-3041 Moderate: Oracle Linux 7 python security and bug fix update

Oracle Linux Security Advisory ELSA-2018-3041

http://linux.oracle.com/errata/ELSA-2018-3041.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
python-2.7.5-76.0.1.el7.x86_64.rpm
python-debug-2.7.5-76.0.1.el7.x86_64.rpm
python-devel-2.7.5-76.0.1.el7.x86_64.rpm
python-libs-2.7.5-76.0.1.el7.i686.rpm
python-libs-2.7.5-76.0.1.el7.x86_64.rpm
python-test-2.7.5-76.0.1.el7.x86_64.rpm
python-tools-2.7.5-76.0.1.el7.x86_64.rpm
tkinter-2.7.5-76.0.1.el7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/python-2.7.5-76.0.1.el7.src.rpm



Description of changes:

[2.7.5-76.0.1]
- Add Oracle Linux distribution in platform.py [orabug 20812544]

[2.7.5-76]
- Remove an unversioned obsoletes tag
Resolves: rhbz#1627059

[2.7.5-75]
- Provide the /usr/libexec/platform-python symlink to the main binary
Resolves: rhbz#1599159

[2.7.5-74]
- Fix OSERROR 17 due to _multiprocessing/semaphore.c assuming
   a one-to-one Pid -> process mapping
Resolves: rhbz#1579432

[2.7.5-73]
- Remove 3DS cipher to mitigate CVE-2016-2183 (sweet32).
Resolves: rhbz#1581901

[2.7.5-72]
- Fix CVE-2018-1060 and CVE-2018-1061
Resolves: rhbz#1563454 and rhbz#1549192
- Provide python2-libs from the python-libs subpackage
Resolves: rhbz#1557460

[2.7.5-71]
- Limit the number of CPU cores when building the package on power 
architectures
Resolves: rhbz#1568974

[2.7.5-70]
- Do not send IP addresses in SNI TLS extension
Resolves: rhbz#1555314


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC