Mageia 6 MGASA-2018-0495 Moderate: Python Denial Of Service
mageia
December 31, 2018
Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided (CVE-2017-18207)
Summary
Possible denial of service vulnerability due to a missing check in
Lib/wave.py to verify that at least one channel is provided
(CVE-2017-18207).
Python's elementtree C accelerator failed to initialise Expat's hash
salt during initialization. This could make it easy to conduct denial of
service attacks against Expat by contructing an XML document that would
cause pathological hash collisions in Expat's internal data structures,
consuming large amounts CPU and RAM (CVE-2018-14647).
It was discovered that the shutil module of python does not properly
sanitize input when creating a zip file on Windows. An attacker could
use this flaw to cause a denial of service or add unintended files to
the generated archive (CVE-2018-1000802).
References
- https://bugs.mageia.org/show_bug.cgi?id=23061
- - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/
- https://www.cve.org/CVERecord?id=CVE-2017-18207
- https://www.cve.org/CVERecord?id=CVE-2018-14647
- https://www.cve.org/CVERecord?id=CVE-2018-1000802
Topics Covered
Resolution
SRPMS
- 6/core/python-2.7.15-1.1.mga6
PREVIOUS
NEXT
Publication date: 31 Dec 2018
URL: https://advisories.mageia.org/MGASA-2018-0495.html
Type: security
CVE: CVE-2017-18207,
CVE-2018-14647,
CVE-2018-1000802
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!