Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://python-security.readthedocs.io/vuln/elementree-hash-salt.html below:

_elementree C accelerator doesn’t call XML_SetHashSalt() — Python Security 0.0 documentation

The pyexpat module calls XML_SetHashSalt() to initialize the salt for hash randomization of the XML_Parser struct.

The _elementree C accelerator doesn’t call XML_SetHashSalt().

Dates:

• Disclosure date: 2018-09-10 (Python issue bpo-34623 reported)

• Python 2.7.16 (2019-03-02) fixed by commit 18b20ba (branch 2.7) (2018-09-18)

• Python 3.4.10 (2019-03-18) fixed by commit d16eaf3 (branch 3.5) (2019-02-25)

• Python 3.5.7 (2019-03-18) fixed by commit 41b48e7 (branch 3.4) (2019-02-25)

• Python 3.6.7 (2018-10-20) fixed by commit f7666e8 (branch 3.6) (2018-09-18)

• Python 3.7.1 (2018-10-20) fixed by commit 470a435 (branch 3.7) (2018-09-18)

• Python 3.8.0 (2019-10-14) fixed by commit cb5778f (branch 3.8) (2018-09-18)

_elementtree.c doesn’t call XML_SetHashSalt().

• Python issue: bpo-34623

• Creation date: 2018-09-10

• Reporter: Christian Heimes

Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

• CVE ID: CVE-2018-14647

• Published: 2018-09-25

• CVSS Score: 5.0

Timeline using the disclosure date 2018-09-10 as reference:

• 2018-09-10: Python issue bpo-34623 reported by Christian Heimes

• 2018-09-18 (+8 days): commit 18b20ba (branch 2.7)

• 2018-09-18 (+8 days): commit 470a435 (branch 3.7)

• 2018-09-18 (+8 days): commit cb5778f (branch 3.8)

• 2018-09-18 (+8 days): commit f7666e8 (branch 3.6)

• 2018-09-25 (+15 days): CVE-2018-14647 published

• 2018-10-20 (+40 days): Python 3.6.7 released

• 2018-10-20 (+40 days): Python 3.7.1 released

• 2019-02-25 (+168 days): commit 41b48e7 (branch 3.4)

• 2019-02-25 (+168 days): commit d16eaf3 (branch 3.5)

• 2019-03-02 (+173 days): Python 2.7.16 released

• 2019-03-18 (+189 days): Python 3.4.10 released

• 2019-03-18 (+189 days): Python 3.5.7 released

• 2019-10-14: Python 3.8.0 released

• https://bugzilla.redhat.com/show_bug.cgi?id=1632095

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4