Bug 47890 – python2.7: Multiple issues (4.3)

Bug 47890 - python2.7: Multiple issues (4.3)


Summary:	python2.7: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-2-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-10-01 14:29 CEST by Quality Assurance
Modified:	2018-10-04 14:27 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2018-10-01 14:29:07 CEST

New Debian python2.7 2.7.13-2+deb9u3 fixes:
This update addresses the following issues:
* DOS via regular expression catastrophic backtracking in apop() method in  pop3lib (CVE-2018-1060)
* DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in  difflib (CVE-2018-1061)
* Missing salt initialization in _elementtree.c module (CVE-2018-14647)
* Command injection in the shutil module (CVE-2018-1000802)

Comment 1 Quality Assurance

2018-10-01 15:16:52 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/python2.7_2.7.13-2+deb9u2.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/python2.7_2.7.13-2+deb9u3.dsc
@@ -1,3 +1,7 @@
+2.7.13-2+deb9u3 [Wed, 26 Sep 2018 20:42:22 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2018-1000802, CVE-2018-1060, CVE-2018-1061, CVE-2018-14647
+
 2.7.13-2+deb9u2 [Fri, 24 Nov 2017 18:33:09 +0100] Moritz Mühlenhoff <jmm@debian.org>:
 
   * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address

<http://10.200.17.11/4.3-2/#6102485430680181147>

Comment 2 Philipp Hahn

2018-10-01 15:38:12 CEST

OK: yaml
OK: announce_errata
OK: patch
FAIL: piuparts

[4.3-2] d8526e6d2a Bug #47890: python2.7 2.7.13-2+deb9u3
 doc/errata/staging/python2.7.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

Comment 3 Philipp Hahn

2018-10-01 15:45:12 CEST

(In reply to Philipp Hahn from comment #2)
> FAIL: piuparts

This is a bug in the python2.7 package, which removes files from *lib*python2.7*-minimal*:
> 0m17.2s ERROR: FAIL: After purging files have disappeared:
>   /usr/lib/python2.7/lib-dynload/	 owned by: libpython2.7-minimal:amd64

This failure can be ignored.

Comment 4 Arvid Requate

2018-10-04 14:27:50 CEST

<http://errata.software-univention.de/ucs/4.3/258.html>