Bug 47890 - python2.7: Multiple issues (4.3)
python2.7: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-01 14:29 CEST by Quality Assurance
Modified: 2018-10-04 14:27 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-01 14:29:07 CEST
New Debian python2.7 2.7.13-2+deb9u3 fixes:
This update addresses the following issues:
* DOS via regular expression catastrophic backtracking in apop() method in  pop3lib (CVE-2018-1060)
* DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in  difflib (CVE-2018-1061)
* Missing salt initialization in _elementtree.c module (CVE-2018-14647)
* Command injection in the shutil module (CVE-2018-1000802)
Comment 1 Quality Assurance univentionstaff 2018-10-01 15:16:52 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/python2.7_2.7.13-2+deb9u2.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/python2.7_2.7.13-2+deb9u3.dsc
@@ -1,3 +1,7 @@
+2.7.13-2+deb9u3 [Wed, 26 Sep 2018 20:42:22 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2018-1000802, CVE-2018-1060, CVE-2018-1061, CVE-2018-14647
+
 2.7.13-2+deb9u2 [Fri, 24 Nov 2017 18:33:09 +0100] Moritz Mühlenhoff <jmm@debian.org>:
 
   * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address

<http://10.200.17.11/4.3-2/#6102485430680181147>
Comment 2 Philipp Hahn univentionstaff 2018-10-01 15:38:12 CEST
OK: yaml
OK: announce_errata
OK: patch
FAIL: piuparts

[4.3-2] d8526e6d2a Bug #47890: python2.7 2.7.13-2+deb9u3
 doc/errata/staging/python2.7.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
Comment 3 Philipp Hahn univentionstaff 2018-10-01 15:45:12 CEST
(In reply to Philipp Hahn from comment #2)
> FAIL: piuparts

This is a bug in the python2.7 package, which removes files from *lib*python2.7*-minimal*:
> 0m17.2s ERROR: FAIL: After purging files have disappeared:
>   /usr/lib/python2.7/lib-dynload/	 owned by: libpython2.7-minimal:amd64

This failure can be ignored.
Comment 4 Arvid Requate univentionstaff 2018-10-04 14:27:50 CEST
<http://errata.software-univention.de/ucs/4.3/258.html>