Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/difflib-poplib-backtracking.html below:

difflib and poplib catastrophic backtracking — Python Security 0.0 documentation

Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored.

This resolves CVE-2018-1060 and CVE-2018-1061.

Patch by Jamie Davis.

Dates:

• Disclosure date: 2018-03-02 (Python issue bpo-32981 reported)

• Python 2.7.15 (2018-04-29) fixed by commit e052d40 (branch 2.7) (2018-03-04)

• Python 3.4.9 (2018-08-02) fixed by commit 942cc04 (branch 3.4) (2018-03-11)

• Python 3.5.6 (2018-08-02) fixed by commit 937ac1f (branch 3.5) (2018-03-11)

• Python 3.6.5 (2018-03-28) fixed by commit c951675 (branch 3.6) (2018-03-04)

• Python 3.7.0 (2018-06-27) fixed by commit 0902a2d (branch 3.7) (2018-03-04)

Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061).

• Python issue: bpo-32981

• Creation date: 2018-03-02

• Reporter: James Davis

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib’s apop() method. An attacker could use this flaw to cause denial of service.

• CVE ID: CVE-2018-1060

• Published: 2018-06-18

• CVSS Score: 5.0

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

• CVE ID: CVE-2018-1061

• Published: 2018-06-19

• CVSS Score: 5.0

Timeline using the disclosure date 2018-03-02 as reference:

• 2018-03-02: Python issue bpo-32981 reported by James Davis

• 2018-03-04 (+2 days): commit 0902a2d (branch 3.7)

• 2018-03-04 (+2 days): commit c951675 (branch 3.6)

• 2018-03-04 (+2 days): commit e052d40 (branch 2.7)

• 2018-03-11 (+9 days): commit 937ac1f (branch 3.5)

• 2018-03-11 (+9 days): commit 942cc04 (branch 3.4)

• 2018-03-28 (+26 days): Python 3.6.5 released

• 2018-04-29 (+58 days): Python 2.7.15 released

• 2018-06-18 (+108 days): CVE-2018-1060 published

• 2018-06-19 (+109 days): CVE-2018-1061 published

• 2018-06-27: Python 3.7.0 released

• 2018-08-02 (+153 days): Python 3.4.9 released

• 2018-08-02 (+153 days): Python 3.5.6 released

• https://nvd.nist.gov/vuln/detail/CVE-2018-1060/

• https://nvd.nist.gov/vuln/detail/CVE-2018-1061/

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4