Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-2.5.3 2018-10-18T10:08:53+00:00 2018-10-18T10:08:53+00:00 Sinan Kaya okaya@kernel.org 2018-10-05T00:39:08+00:00 urn:sha1:97ee1f80870745bf6c542ee2f184c9e468672714 * CVE-2018-1060 Prevent low-grade poplib REDOS: The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. * CVE-2018-1061 Prevent difflib REDOS The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Affects < 3.5.6rc1 CVE: CVE-2018-1060 CVE: CVE-2018-1061 Ref: https://access.redhat.com/security/cve/cve-2018-1060 Ref: https://access.redhat.com/security/cve/cve-2018-1061 (From OE-Core rev: 1461bcc72e6649920ecf4226e006e5667c48a21c) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>