Bug 47891 - python3.5: Multiple issues (4.3)
python3.5: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-01 14:29 CEST by Quality Assurance
Modified: 2018-10-04 14:27 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-01 14:29:09 CEST
New Debian python3.5 3.5.3-1+deb9u1 fixes:
This update addresses the following issues:
* Integer overflow in PyString_DecodeEscape results in heap-base buffer  overflow (CVE-2017-1000158)
* DOS via regular expression catastrophic backtracking in apop() method in  pop3lib (CVE-2018-1060)
* DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in  difflib (CVE-2018-1061)
* Missing salt initialization in _elementtree.c module (CVE-2018-14647)
Comment 1 Quality Assurance univentionstaff 2018-10-01 15:16:57 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/python3.5_3.5.3-1.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/python3.5_3.5.3-1+deb9u1.dsc
@@ -1,3 +1,7 @@
+3.5.3-1+deb9u1 [Thu, 27 Sep 2018 19:25:39 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
+
 3.5.3-1 [Thu, 19 Jan 2017 15:11:04 +0100] Matthias Klose <doko@debian.org>:
 
   * Python 3.5.3 release.

<http://10.200.17.11/4.3-2/#6646714487349628080>
Comment 2 Philipp Hahn univentionstaff 2018-10-01 15:37:43 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.3-2] b7b1d552b2 Bug #47891: python3.5 3.5.3-1+deb9u1
 doc/errata/staging/{python2.7.yaml => python3.5.yaml} | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

[4.3-2] d8526e6d2a Bug #47890: python2.7 2.7.13-2+deb9u3
 doc/errata/staging/python2.7.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-10-04 14:27:51 CEST
<http://errata.software-univention.de/ucs/4.3/259.html>