CVE-2018-1061

CVE-2018-1061

Name

CVE-2018-1061

Description

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061
Vendor Advisory	https://bugs.python.org/issue32981
Vendor Advisory	https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1
Vendor Advisory	https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1
Mailing List	https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
Mailing List	https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
Third Party Advisory	https://www.debian.org/security/2018/dsa-4306
Third Party Advisory	https://www.debian.org/security/2018/dsa-4307
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3041
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3505
Third Party Advisory	https://usn.ubuntu.com/3817-1/
Third Party Advisory	http://www.securitytracker.com/id/1042001
Third Party Advisory	https://usn.ubuntu.com/3817-2/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/
Third Party Advisory	https://access.redhat.com/errata/RHBA-2019:0327
REDHAT	https://access.redhat.com/errata/RHSA-2019:1260
CONFIRM	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us
REDHAT	https://access.redhat.com/errata/RHSA-2019:3725
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Type

URI

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061

Vendor Advisory

https://bugs.python.org/issue32981

Vendor Advisory

https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1

Vendor Advisory

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1

Mailing List

https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

Mailing List

https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

Third Party Advisory

https://www.debian.org/security/2018/dsa-4306

Third Party Advisory

https://www.debian.org/security/2018/dsa-4307

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3041

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3505

Third Party Advisory

https://usn.ubuntu.com/3817-1/

Third Party Advisory

http://www.securitytracker.com/id/1042001

Third Party Advisory

https://usn.ubuntu.com/3817-2/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

Third Party Advisory

https://access.redhat.com/errata/RHBA-2019:0327

REDHAT

https://access.redhat.com/errata/RHSA-2019:1260

CONFIRM

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us

REDHAT

https://access.redhat.com/errata/RHSA-2019:3725

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:python:python:3.7.0:beta3::::::`	python	== None	== 3.7.0
`cpe:2.3:a:python:python::::::::`	python	>= 3.5.0	<= 3.5.5
`cpe:2.3:a:python:python::::::::`	python	>= 3.0	< 3.4.9
`cpe:2.3:a:python:python::::::::`	python	>= None	< 2.7.15
`cpe:2.3:a:python:python::::::::`	python	>= 3.6	<= 3.6.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:python:python:3.7.0:beta3:*:*:*:*:*:*

python

== None

== 3.7.0

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

python

>= 3.5.0

<= 3.5.5

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

python

>= 3.0

< 3.4.9

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

python

>= None

< 2.7.15

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

python

>= 3.6

<= 3.6.4

References

Match rules

Vulnerable and fixed packages