CVE-2018-1060

Published: 18 June 2018

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
python2.7 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (2.7.15-4ubuntu1)
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (2.7.15-4ubuntu1)
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (2.7.15~rc1-1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (2.7.12-1ubuntu0~16.04.4)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.7.6-8ubuntu0.5)
	Patches: Upstream: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
python3.4 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (3.4.3-1ubuntu1~14.04.7)
	Patches: Upstream: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0
python3.5 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (3.5.2-2ubuntu0~16.04.5)
	Ubuntu 14.04 ESM (Trusty Tahr)	Needed
	Patches: Upstream: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b
python3.6 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (3.6.6-1~18.04)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523
python3.7 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (3.7.0~b3-1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143

References

Bugs

https://bugs.python.org/issue32981

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM