CVE-2018-14647

Published: 24 September 2018

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
python2.7 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (2.7.15-4ubuntu4)
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (2.7.15-4ubuntu4)
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2.7.15~rc1-1ubuntu0.1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (2.7.12-1ubuntu0~16.04.4)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.7.6-8ubuntu0.5)
	Patches: Upstream: https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
python3.4 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (3.4.3-1ubuntu1~14.04.7)
python3.5 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (3.5.2-2ubuntu0~16.04.5)
	Ubuntu 14.04 ESM (Trusty Tahr)	Needed
python3.6 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (3.6.7-1~18.04)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
python3.7 Launchpad, Ubuntu, Debian	Upstream	Released (3.7.0-7)

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (3.7.1-1~18.04)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/python/cpython/commit/470a435f3b42c9be5fdb7f7b04f3df5663ba7305

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM