PublicDateAtUSN: 2018-06-19 Candidate: CVE-2018-1061 PublicDate: 2018-06-19 12:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061 https://ubuntu.com/security/notices/USN-3817-1 https://ubuntu.com/security/notices/USN-3817-2 Description: python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. Ubuntu-Description: Notes: mdeslaur> same commits as CVE-2018-1060 Bugs: https://bugs.python.org/issue32981 Priority: low Discovered-by: Assigned-to: mdeslaur CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] Patches_python2.7: upstream: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 upstream_python2.7: needs-triage precise/esm_python2.7: released (2.7.3-0ubuntu3.11) trusty_python2.7: released (2.7.6-8ubuntu0.5) trusty/esm_python2.7: released (2.7.6-8ubuntu0.5) xenial_python2.7: released (2.7.12-1ubuntu0~16.04.4) esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.4) artful_python2.7: ignored (reached end-of-life) bionic_python2.7: not-affected (2.7.15~rc1-1) cosmic_python2.7: not-affected (2.7.15-4ubuntu1) disco_python2.7: not-affected (2.7.15-4ubuntu1) eoan_python2.7: not-affected (2.7.15-4ubuntu1) focal_python2.7: not-affected (2.7.15-4ubuntu1) groovy_python2.7: not-affected (2.7.15-4ubuntu1) hirsute_python2.7: not-affected (2.7.15-4ubuntu1) impish_python2.7: not-affected (2.7.15-4ubuntu1) jammy_python2.7: not-affected (2.7.15-4ubuntu1) devel_python2.7: not-affected (2.7.15-4ubuntu1) Patches_python3.4: upstream: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 upstream_python3.4: needs-triage precise/esm_python3.4: DNE trusty_python3.4: released (3.4.3-1ubuntu1~14.04.7) trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7) xenial_python3.4: DNE artful_python3.4: DNE bionic_python3.4: DNE cosmic_python3.4: DNE disco_python3.4: DNE eoan_python3.4: DNE focal_python3.4: DNE groovy_python3.4: DNE hirsute_python3.4: DNE impish_python3.4: DNE jammy_python3.4: DNE devel_python3.4: DNE Patches_python3.5: upstream: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b upstream_python3.5: needs-triage precise/esm_python3.5: DNE trusty_python3.5: ignored (out of standard support) trusty/esm_python3.5: needed xenial_python3.5: released (3.5.2-2ubuntu0~16.04.5) esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.5) artful_python3.5: DNE bionic_python3.5: DNE cosmic_python3.5: DNE disco_python3.5: DNE eoan_python3.5: DNE focal_python3.5: DNE groovy_python3.5: DNE hirsute_python3.5: DNE impish_python3.5: DNE jammy_python3.5: DNE devel_python3.5: DNE Patches_python3.6: upstream: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 upstream_python3.6: needs-triage precise/esm_python3.6: DNE trusty_python3.6: DNE trusty/esm_python3.6: DNE xenial_python3.6: DNE artful_python3.6: ignored (reached end-of-life) bionic_python3.6: not-affected (3.6.6-1~18.04) cosmic_python3.6: not-affected (3.6.6-4) disco_python3.6: DNE eoan_python3.6: DNE focal_python3.6: DNE groovy_python3.6: DNE hirsute_python3.6: DNE impish_python3.6: DNE jammy_python3.6: DNE devel_python3.6: DNE Patches_python3.7: upstream: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 upstream_python3.7: needs-triage precise/esm_python3.7: DNE trusty_python3.7: DNE trusty/esm_python3.7: DNE xenial_python3.7: DNE artful_python3.7: ignored (reached end-of-life) bionic_python3.7: not-affected (3.7.0~b3-1) cosmic_python3.7: not-affected (3.7.0-1) disco_python3.7: not-affected (3.7.0-1) eoan_python3.7: not-affected (3.7.0-1) focal_python3.7: DNE groovy_python3.7: DNE hirsute_python3.7: DNE impish_python3.7: DNE jammy_python3.7: DNE devel_python3.7: DNE