CVE-2018-14647

Published: 24 September 2018

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.7.15-4ubuntu4)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.15-4ubuntu4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.15~rc1-1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.5)
Patches:
Upstream: https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7)
python3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.5)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

python3.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.7-1~18.04)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
python3.7
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.0-7)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.7.1-1~18.04)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/470a435f3b42c9be5fdb7f7b04f3df5663ba7305