diff options
| author | Sinan Kaya <okaya@kernel.org> | 2018-10-05 00:39:08 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-18 11:08:53 +0100 |
| commit | 97ee1f80870745bf6c542ee2f184c9e468672714 (patch) | |
| tree | 0aa548ad102a6887561ae5609d83b64cdd605250 /LICENSE | |
| parent | 536412ec4d1eccd1e7b7cc5fbf239bf34cbcbca5 (diff) | |
| download | poky-97ee1f80870745bf6c542ee2f184c9e468672714.tar.gz | |
python3: CVE-2018-1061
* CVE-2018-1060
Prevent low-grade poplib REDOS:
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
* CVE-2018-1061
Prevent difflib REDOS
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Affects < 3.5.6rc1
CVE: CVE-2018-1060
CVE: CVE-2018-1061
Ref: https://access.redhat.com/security/cve/cve-2018-1060
Ref: https://access.redhat.com/security/cve/cve-2018-1061
(From OE-Core rev: 1461bcc72e6649920ecf4226e006e5667c48a21c)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'LICENSE')
0 files changed, 0 insertions, 0 deletions