Updated python packages fix security vulnerabilities
Publication date: 31 Dec 2018Modification date: 31 Dec 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-18207 , CVE-2018-14647 , CVE-2018-1000802
Description
Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided (CVE-2017-18207). Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM (CVE-2018-14647). It was discovered that the shutil module of python does not properly sanitize input when creating a zip file on Windows. An attacker could use this flaw to cause a denial of service or add unintended files to the generated archive (CVE-2018-1000802).
References
- https://bugs.mageia.org/show_bug.cgi?id=23061
- https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18207
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
SRPMS
6/core
- python-2.7.15-1.1.mga6