Search...

Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1248)

2020-01-23T00:00:00

ID OPENVAS:1361412562311220191248
Type openvas
Reporter Copyright (C) 2020 Greenbone Networks GmbH
Modified 2020-01-23T00:00:00

Description

The remote host is missing an update for the Huawei EulerOS

                                        
                                            # Copyright (C) 2020 Greenbone Networks GmbH
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (C) the respective author(s)
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.2.2019.1248");
  script_version("2020-01-23T11:36:22+0000");
  script_cve_id("CVE-2018-1060", "CVE-2018-1061");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"last_modification", value:"2020-01-23 11:36:22 +0000 (Thu, 23 Jan 2020)");
  script_tag(name:"creation_date", value:"2020-01-23 11:36:22 +0000 (Thu, 23 Jan 2020)");
  script_name("Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1248)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2020 Greenbone Networks GmbH");
  script_family("Huawei EulerOS Local Security Checks");
  script_dependencies("gb_huawei_euleros_consolidation.nasl");
  script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROSVIRT-2\.5\.4");

  script_xref(name:"EulerOS-SA", value:"2019-1248");
  script_xref(name:"URL", value:"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1248");

  script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS
  'python' package(s) announced via the EulerOS-SA-2019-1248 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service.CVE-2018-1060

A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.CVE-2018-1061");

  script_tag(name:"affected", value:"'python' package(s) on Huawei EulerOS Virtualization 2.5.4.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "EULEROSVIRT-2.5.4") {

  if(!isnull(res = isrpmvuln(pkg:"python", rpm:"python~2.7.5~69.h7", rls:"EULEROSVIRT-2.5.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"python-devel", rpm:"python-devel~2.7.5~69.h7", rls:"EULEROSVIRT-2.5.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"python-libs", rpm:"python-libs~2.7.5~69.h7", rls:"EULEROSVIRT-2.5.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"python-tools", rpm:"python-tools~2.7.5~69.h7", rls:"EULEROSVIRT-2.5.4"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"tkinter", rpm:"tkinter~2.7.5~69.h7", rls:"EULEROSVIRT-2.5.4"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if (__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562311220191248", "type": "openvas", "bulletinFamily": "scanner", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1248)", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "published": "2020-01-23T00:00:00", "modified": "2020-01-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191248", "reporter": "Copyright (C) 2020 Greenbone Networks GmbH", "references": ["https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1248", "2019-1248"], "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "lastseen": "2020-01-27T18:36:56", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-1248", "CVE-2018-1060", "CVE-2018-1061"]}, {"type": "centos", "idList": ["CESA-2018:3041"]}, {"type": "amazon", "idList": ["ALAS2-2019-1230", "ALAS-2018-1003", "ALAS2-2019-1248", "ALAS-2018-1108"]}, {"type": "redhat", "idList": ["RHSA-2019:1260", "RHSA-2020:1346", "RHSA-2020:1268", "RHSA-2018:3041"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3703-1", "OPENSUSE-SU-2018:2712-1"]}, {"type": "fedora", "idList": ["FEDORA:E452E6021791", "FEDORA:66C72604D404", "FEDORA:45707604CD90", "FEDORA:EC9E0604D409", "FEDORA:CF8B162C3B99", "FEDORA:0FD96602C182", "FEDORA:4FA016419F1F", "FEDORA:9301E6076020", "FEDORA:132956044E67", "FEDORA:5A77C60200D2"]}, {"type": "nessus", "idList": ["EULEROS_SA-2019-1248.NASL", "ALA_ALAS-2018-1108.NASL", "EULEROS_SA-2019-1246.NASL", "PHOTONOS_PHSA-2018-2_0-0086_PYTHON2.NASL", "ORACLELINUX_ELSA-2018-3041.NASL", "REDHAT-RHSA-2018-3041.NASL", "SL_20181030_PYTHON_ON_SL7_X.NASL", "OPENSUSE-2018-1001.NASL", "CENTOS_RHSA-2018-3041.NASL", "ALA_ALAS-2018-1003.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310874353", "OPENVAS:1361412562310874961", "OPENVAS:1361412562311220191246", "OPENVAS:1361412562310813547", "OPENVAS:1361412562310874352", "OPENVAS:1361412562310874354", "OPENVAS:1361412562310874347", "OPENVAS:1361412562310874351", "OPENVAS:1361412562311220191072", "OPENVAS:1361412562310851890"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-3041"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1519-1:1A158", "DEBIAN:DLA-1520-1:70B85", "DEBIAN:DSA-4307-1:C7B50", "DEBIAN:DSA-4306-1:95510"]}, {"type": "ubuntu", "idList": ["USN-3817-2", "USN-3817-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C7368B69703D2F78B11155E4CE99EC4C"]}, {"type": "mscve", "idList": ["MS:CVE-2019-1248"]}], "modified": "2020-01-27T18:36:56", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-01-27T18:36:56", "rev": 2}, "vulnersScore": 7.5}, "pluginID": "1361412562311220191248", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1248\");\n script_version(\"2020-01-23T11:36:22+0000\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:36:22 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:36:22 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1248)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.4\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1248\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1248\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1248 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service.CVE-2018-1060\n\nA flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.CVE-2018-1061\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS Virtualization 2.5.4.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.4\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~69.h7\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~69.h7\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~69.h7\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tools\", rpm:\"python-tools~2.7.5~69.h7\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~69.h7\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "naslFamily": "Huawei EulerOS Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T06:52:23", "description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-19T12:29:00", "title": "CVE-2018-1061", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1061"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:fedoraproject:fedora:29", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:redhat:ansible_tower:3.3", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:python:python:3.6.4", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:python:python:3.7.0", "cpe:/a:python:python:3.5.5", "cpe:/o:fedoraproject:fedora:28", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1061", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1061", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:beta4:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:alpha4:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.0:beta2:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:python:python:3.7.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:a:python:python:3.7.0:alpha2:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:23", "description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", "edition": 14, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-18T14:29:00", "title": "CVE-2018-1060", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1060"], "modified": "2020-01-15T20:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:fedoraproject:fedora:29", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:redhat:ansible_tower:3.3", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:python:python:3.6.4", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:python:python:3.5.5", "cpe:/o:fedoraproject:fedora:28", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1060", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1060", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "centos": [{"lastseen": "2019-12-20T18:25:30", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "**CentOS Errata and Security Advisory** CESA-2018:3041\n\n\nPython is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Python security response team for reporting these issues.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2018-November/005617.html\n\n**Affected packages:**\npython\npython-debug\npython-devel\npython-libs\npython-test\npython-tools\ntkinter\n\n**Upstream details at:**\n", "edition": 3, "modified": "2018-11-15T18:51:33", "published": "2018-11-15T18:51:33", "id": "CESA-2018:3041", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2018-November/005617.html", "title": "python, tkinter security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "**Issue Overview:**\n\nA flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service.([CVE-2018-1060 __](<https://access.redhat.com/security/cve/CVE-2018-1060>))\n\nA flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.([CVE-2018-1061 __](<https://access.redhat.com/security/cve/CVE-2018-1061>))\n\n \n**Affected Packages:** \n\n\npython27\n\n \n**Issue Correction:** \nRun _yum update python27_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n python27-libs-2.7.15-1.124.amzn1.i686 \n python27-debuginfo-2.7.15-1.124.amzn1.i686 \n python27-test-2.7.15-1.124.amzn1.i686 \n python27-2.7.15-1.124.amzn1.i686 \n python27-devel-2.7.15-1.124.amzn1.i686 \n python27-tools-2.7.15-1.124.amzn1.i686 \n \n src: \n python27-2.7.15-1.124.amzn1.src \n \n x86_64: \n python27-debuginfo-2.7.15-1.124.amzn1.x86_64 \n python27-libs-2.7.15-1.124.amzn1.x86_64 \n python27-devel-2.7.15-1.124.amzn1.x86_64 \n python27-tools-2.7.15-1.124.amzn1.x86_64 \n python27-test-2.7.15-1.124.amzn1.x86_64 \n python27-2.7.15-1.124.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-12-06T00:22:00", "published": "2018-12-06T00:22:00", "id": "ALAS-2018-1108", "href": "https://alas.aws.amazon.com/ALAS-2018-1108.html", "title": "Medium: python27", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-10T12:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "**Issue Overview:**\n\nDOS via regular expression catastrophic backtracking in apop() method in pop3lib \nA flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service. ([CVE-2018-1060 __](<https://access.redhat.com/security/cve/CVE-2018-1060>))\n\nDOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib \nA flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. ([CVE-2018-1061 __](<https://access.redhat.com/security/cve/CVE-2018-1061>))\n\n \n**Affected Packages:** \n\n\npython34, python35, python36, python27\n\n \n**Issue Correction:** \nRun _yum update python34_ to update your system. \nRun _yum update python35_ to update your system. \nRun _yum update python36_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n python34-test-3.4.8-1.39.amzn1.i686 \n python34-devel-3.4.8-1.39.amzn1.i686 \n python34-libs-3.4.8-1.39.amzn1.i686 \n python34-debuginfo-3.4.8-1.39.amzn1.i686 \n python34-tools-3.4.8-1.39.amzn1.i686 \n python34-3.4.8-1.39.amzn1.i686 \n python35-tools-3.5.5-1.12.amzn1.i686 \n python35-test-3.5.5-1.12.amzn1.i686 \n python35-devel-3.5.5-1.12.amzn1.i686 \n python35-3.5.5-1.12.amzn1.i686 \n python35-debuginfo-3.5.5-1.12.amzn1.i686 \n python35-libs-3.5.5-1.12.amzn1.i686 \n python36-devel-3.6.5-1.9.amzn1.i686 \n python36-debug-3.6.5-1.9.amzn1.i686 \n python36-test-3.6.5-1.9.amzn1.i686 \n python36-debuginfo-3.6.5-1.9.amzn1.i686 \n python36-libs-3.6.5-1.9.amzn1.i686 \n python36-3.6.5-1.9.amzn1.i686 \n python36-tools-3.6.5-1.9.amzn1.i686 \n python27-libs-2.7.14-1.123.amzn1.i686 \n python27-2.7.14-1.123.amzn1.i686 \n python27-debuginfo-2.7.14-1.123.amzn1.i686 \n python27-test-2.7.14-1.123.amzn1.i686 \n python27-devel-2.7.14-1.123.amzn1.i686 \n python27-tools-2.7.14-1.123.amzn1.i686 \n \n src: \n python34-3.4.8-1.39.amzn1.src \n python35-3.5.5-1.12.amzn1.src \n python36-3.6.5-1.9.amzn1.src \n python27-2.7.14-1.123.amzn1.src \n \n x86_64: \n python34-tools-3.4.8-1.39.amzn1.x86_64 \n python34-libs-3.4.8-1.39.amzn1.x86_64 \n python34-debuginfo-3.4.8-1.39.amzn1.x86_64 \n python34-test-3.4.8-1.39.amzn1.x86_64 \n python34-3.4.8-1.39.amzn1.x86_64 \n python34-devel-3.4.8-1.39.amzn1.x86_64 \n python35-devel-3.5.5-1.12.amzn1.x86_64 \n python35-3.5.5-1.12.amzn1.x86_64 \n python35-debuginfo-3.5.5-1.12.amzn1.x86_64 \n python35-test-3.5.5-1.12.amzn1.x86_64 \n python35-libs-3.5.5-1.12.amzn1.x86_64 \n python35-tools-3.5.5-1.12.amzn1.x86_64 \n python36-tools-3.6.5-1.9.amzn1.x86_64 \n python36-test-3.6.5-1.9.amzn1.x86_64 \n python36-devel-3.6.5-1.9.amzn1.x86_64 \n python36-3.6.5-1.9.amzn1.x86_64 \n python36-debug-3.6.5-1.9.amzn1.x86_64 \n python36-debuginfo-3.6.5-1.9.amzn1.x86_64 \n python36-libs-3.6.5-1.9.amzn1.x86_64 \n python27-debuginfo-2.7.14-1.123.amzn1.x86_64 \n python27-libs-2.7.14-1.123.amzn1.x86_64 \n python27-test-2.7.14-1.123.amzn1.x86_64 \n python27-tools-2.7.14-1.123.amzn1.x86_64 \n python27-devel-2.7.14-1.123.amzn1.x86_64 \n python27-2.7.14-1.123.amzn1.x86_64 \n \n \n", "edition": 6, "modified": "2018-04-26T17:28:00", "published": "2018-04-26T17:28:00", "id": "ALAS-2018-1003", "href": "https://alas.aws.amazon.com/ALAS-2018-1003.html", "title": "Medium: python34, python35, python36, python27", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-10T12:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9636", "CVE-2018-20406", "CVE-2018-1060", "CVE-2018-1061", "CVE-2019-5010"], "description": "**Issue Overview:**\n\nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. ([CVE-2019-5010 __](<https://access.redhat.com/security/cve/CVE-2019-5010>))\n\nPython 2.7.16 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. ([CVE-2019-9636 __](<https://access.redhat.com/security/cve/CVE-2019-9636>))\n\nA flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service. ([CVE-2018-1060 __](<https://access.redhat.com/security/cve/CVE-2018-1060>))\n\nModules/_pickle.c in Python 2.7.16 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. ([CVE-2018-20406 __](<https://access.redhat.com/security/cve/CVE-2018-20406>))\n\nA flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. ([CVE-2018-1061 __](<https://access.redhat.com/security/cve/CVE-2018-1061>))\n\n \n**Affected Packages:** \n\n\npython\n\n \n**Issue Correction:** \nRun _yum update python_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n python-2.7.16-1.amzn2.0.1.aarch64 \n python-libs-2.7.16-1.amzn2.0.1.aarch64 \n python-devel-2.7.16-1.amzn2.0.1.aarch64 \n python-tools-2.7.16-1.amzn2.0.1.aarch64 \n tkinter-2.7.16-1.amzn2.0.1.aarch64 \n python-test-2.7.16-1.amzn2.0.1.aarch64 \n python-debug-2.7.16-1.amzn2.0.1.aarch64 \n python-debuginfo-2.7.16-1.amzn2.0.1.aarch64 \n \n i686: \n python-2.7.16-1.amzn2.0.1.i686 \n python-libs-2.7.16-1.amzn2.0.1.i686 \n python-devel-2.7.16-1.amzn2.0.1.i686 \n python-tools-2.7.16-1.amzn2.0.1.i686 \n tkinter-2.7.16-1.amzn2.0.1.i686 \n python-test-2.7.16-1.amzn2.0.1.i686 \n python-debug-2.7.16-1.amzn2.0.1.i686 \n python-debuginfo-2.7.16-1.amzn2.0.1.i686 \n \n src: \n python-2.7.16-1.amzn2.0.1.src \n \n x86_64: \n python-2.7.16-1.amzn2.0.1.x86_64 \n python-libs-2.7.16-1.amzn2.0.1.x86_64 \n python-devel-2.7.16-1.amzn2.0.1.x86_64 \n python-tools-2.7.16-1.amzn2.0.1.x86_64 \n tkinter-2.7.16-1.amzn2.0.1.x86_64 \n python-test-2.7.16-1.amzn2.0.1.x86_64 \n python-debug-2.7.16-1.amzn2.0.1.x86_64 \n python-debuginfo-2.7.16-1.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2019-06-25T21:04:00", "published": "2019-06-25T21:04:00", "id": "ALAS2-2019-1230", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html", "title": "Important: python", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Python security response team for reporting these issues.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-10-30T09:21:02", "published": "2018-10-30T08:12:01", "id": "RHSA-2018:3041", "href": "https://access.redhat.com/errata/RHSA-2018:3041", "type": "redhat", "title": "(RHSA-2018:3041) Moderate: python security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T09:49:47", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: Missing salt initialization in _elementtree.c module (CVE-2018-14647)\n\n* python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740)\n\n* python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947)\n\n* python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)\n\n* python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-01T11:52:47", "published": "2020-04-01T11:33:29", "id": "RHSA-2020:1268", "href": "https://access.redhat.com/errata/RHSA-2020:1268", "type": "redhat", "title": "(RHSA-2020:1268) Moderate: python security update", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:13", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10745", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2019-9740", "CVE-2019-9947"], "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nThe following packages have been upgraded to a later upstream version: python27-python (2.7.16). (BZ#1709349)\n\nSecurity Fix(es):\n\n* python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745)\n\n* python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: Missing salt initialization in _elementtree.c module (CVE-2018-14647)\n\n* python: improper neutralization of CRLF sequences in urllib module (CVE-2019-9740)\n\n* python: improper neutralization of CRLF sequences in urllib module (CVE-2019-9947)\n\n* python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* urlsplit doesn't accept a NFKD hostname with a port number (BZ#1709329)", "modified": "2019-05-22T15:54:32", "published": "2019-05-22T15:42:43", "id": "RHSA-2019:1260", "href": "https://access.redhat.com/errata/RHSA-2019:1260", "type": "redhat", "title": "(RHSA-2019:1260) Important: python27-python and python27-python-jinja2 security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T09:41:27", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: Missing salt initialization in _elementtree.c module (CVE-2018-14647)\n\n* python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740)\n\n* python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947)\n\n* python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)\n\n* python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-07T12:46:03", "published": "2020-04-07T12:31:07", "id": "RHSA-2020:1346", "href": "https://access.redhat.com/errata/RHSA-2020:1346", "type": "redhat", "title": "(RHSA-2020:1346) Moderate: python security update", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2018-09-14T19:50:58", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "This update for python3 provides the following fixes:\n\n These security issues were fixed:\n\n - CVE-2018-1061: Prevent catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could have used this flaw to\n cause denial of service (bsc#1088004).\n - CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop()\n method. An attacker could have used this flaw to cause denial of service\n (bsc#1088009).\n\n These non-security issues were fixed:\n\n - Sort files and directories when creating tarfile archives so that they\n are created in a more predictable way. (bsc#1086001)\n - Add -fwrapv to OPTS (bsc#1107030)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2018-09-14T18:08:02", "published": "2018-09-14T18:08:02", "id": "OPENSUSE-SU-2018:2712-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00024.html", "title": "Security update for python3 (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-10T02:37:48", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061"], "description": "This update for python, python-base fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-1000802: Prevent command injection in shutil module\n (make_archive function) via passage of unfiltered user input\n (bsc#1109663).\n - CVE-2018-1061: Fixed DoS via regular expression backtracking in\n difflib.IS_LINE_JUNK method in difflib (bsc#1088004).\n - CVE-2018-1060: Fixed DoS via regular expression catastrophic\n backtracking in apop() method in pop3lib (bsc#1088009).\n\n Bug fixes:\n\n - bsc#1086001: python tarfile uses random order.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "edition": 1, "modified": "2018-11-10T00:20:28", "published": "2018-11-10T00:20:28", "id": "OPENSUSE-SU-2018:3703-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00011.html", "title": "Security update for python, python-base (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. ", "modified": "2018-04-09T18:36:02", "published": "2018-04-09T18:36:02", "id": "FEDORA:E452E6021791", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: python3-docs-3.6.5-1.fc26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "pip is a package management system used to install and manage software pack ages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either \"Pip Installs Packages\" or \"Pip Installs Python\". ", "modified": "2018-04-09T19:10:14", "published": "2018-04-09T19:10:14", "id": "FEDORA:66C72604D404", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: python-pip-9.0.3-1.fc27", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. ", "modified": "2018-04-09T19:10:14", "published": "2018-04-09T19:10:14", "id": "FEDORA:45707604CD90", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: python3-docs-3.6.5-1.fc27", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Collections. ", "modified": "2018-08-16T08:08:04", "published": "2018-08-16T08:08:04", "id": "FEDORA:CF8B162C3B99", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: python34-3.4.9-2.fc28", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Python is an accessible, high-level, dynamically typed, interpreted program ming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the \"python3\" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs packag e, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages, which may need to be installed separately. Documentation for Python is provided in the python3-docs package. Packages containing additional libraries for Python are generally named with the \"python3-\" prefix. ", "modified": "2018-04-06T11:10:57", "published": "2018-04-06T11:10:57", "id": "FEDORA:5A77C60200D2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: python3-3.6.5-1.fc28", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Python is an accessible, high-level, dynamically typed, interpreted program ming language, designed with an emphasis on code readibility. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the \"python3\" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs packag e, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages, which may need to be installed separately. Documentation for Python is provided in the python3-docs package. Packages containing additional libraries for Python are generally named with the \"python3-\" prefix. ", "modified": "2018-04-09T19:10:13", "published": "2018-04-09T19:10:13", "id": "FEDORA:EC9E0604D409", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: python3-3.6.5-1.fc27", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Pip is a replacement for `easy_install <http://peak.telecommunity.com/DevCenter/EasyInstall>`_. It uses mostly the same techniques for finding packages, so packages that were made easy_installable should be pip-installable as well. ", "modified": "2018-04-09T18:36:03", "published": "2018-04-09T18:36:03", "id": "FEDORA:0FD96602C182", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: python-pip-9.0.3-1.fc26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python3-docs package. This package provides the \"python3\" executable; most of the actual implementation is within the \"python3-libs\" and \"system-python-libs\" packag es. ", "modified": "2018-04-09T18:36:02", "published": "2018-04-09T18:36:02", "id": "FEDORA:9301E6076020", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: python3-3.6.5-1.fc26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000158", "CVE-2018-1060", "CVE-2018-1061"], "description": "Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Collections. ", "modified": "2018-08-16T07:24:43", "published": "2018-08-16T07:24:43", "id": "FEDORA:4FA016419F1F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: python34-3.4.9-2.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061", "CVE-2018-20406", "CVE-2019-5010", "CVE-2019-9636"], "description": "Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "modified": "2019-03-29T19:39:51", "published": "2019-03-29T19:39:51", "id": "FEDORA:132956044E67", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python35-3.5.7-1.fc30", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-03-01T01:36:21", "description": "An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-11-16T00:00:00", "title": "CentOS 7 : python (CESA-2018:3041)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:centos:centos:tkinter", "p-cpe:/a:centos:centos:python-devel", "p-cpe:/a:centos:centos:python", "p-cpe:/a:centos:centos:python-debug", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:python-test", "p-cpe:/a:centos:centos:python-libs", "p-cpe:/a:centos:centos:python-tools"], "id": "CENTOS_RHSA-2018-3041.NASL", "href": "https://www.tenable.com/plugins/nessus/118984", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3041 and \n# CentOS Errata and Security Advisory 2018:3041 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118984);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_xref(name:\"RHSA\", value:\"2018:3041\");\n\n script_name(english:\"CentOS 7 : python (CESA-2018:3041)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005617.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?67220dc7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1060\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-76.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T05:10:12", "description": "From Red Hat Security Advisory 2018:3041 :\n\nAn update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-11-07T00:00:00", "title": "Oracle Linux 7 : python (ELSA-2018-3041)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:tkinter", "p-cpe:/a:oracle:linux:python", "p-cpe:/a:oracle:linux:python-libs", "p-cpe:/a:oracle:linux:python-test", "p-cpe:/a:oracle:linux:python-tools", "p-cpe:/a:oracle:linux:python-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:python-debug"], "id": "ORACLELINUX_ELSA-2018-3041.NASL", "href": "https://www.tenable.com/plugins/nessus/118763", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:3041 and \n# Oracle Linux Security Advisory ELSA-2018-3041 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118763);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/09/27 13:00:39\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_xref(name:\"RHSA\", value:\"2018:3041\");\n\n script_name(english:\"Oracle Linux 7 : python (ELSA-2018-3041)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:3041 :\n\nAn update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-November/008188.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-76.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-76.0.1.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-14T13:14:24", "description": "A flaw was found in the way catastrophic backtracking was implemented\nin python's pop3lib's apop() method. An attacker could use this flaw\nto cause denial of service.(CVE-2018-1060)\n\nA flaw was found in the way catastrophic backtracking was implemented\nin python's difflib.IS_LINE_JUNK method. An attacker could use this\nflaw to cause denial of service.(CVE-2018-1061)", "edition": 14, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-12-07T00:00:00", "title": "Amazon Linux AMI : python27 (ALAS-2018-1108)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2018-12-07T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python27-libs", "p-cpe:/a:amazon:linux:python27", "p-cpe:/a:amazon:linux:python27-test", "p-cpe:/a:amazon:linux:python27-debuginfo", "p-cpe:/a:amazon:linux:python27-devel", "p-cpe:/a:amazon:linux:python27-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2018-1108.NASL", "href": "https://www.tenable.com/plugins/nessus/119467", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-1108.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119467);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/09\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_xref(name:\"ALAS\", value:\"2018-1108\");\n\n script_name(english:\"Amazon Linux AMI : python27 (ALAS-2018-1108)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A flaw was found in the way catastrophic backtracking was implemented\nin python's pop3lib's apop() method. An attacker could use this flaw\nto cause denial of service.(CVE-2018-1060)\n\nA flaw was found in the way catastrophic backtracking was implemented\nin python's difflib.IS_LINE_JUNK method. An attacker could use this\nflaw to cause denial of service.(CVE-2018-1061)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-1108.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update python27' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"python27-2.7.15-1.124.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-debuginfo-2.7.15-1.124.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-devel-2.7.15-1.124.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-libs-2.7.15-1.124.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-test-2.7.15-1.124.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-tools-2.7.15-1.124.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python27 / python27-debuginfo / python27-devel / python27-libs / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-02T04:17:43", "description": "Security Fix(es) :\n\n - python: DOS via regular expression backtracking in\n difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n - python: DOS via regular expression catastrophic\n backtracking in apop() method in pop3lib (CVE-2018-1060)", "edition": 11, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-11-27T00:00:00", "title": "Scientific Linux Security Update : python on SL7.x x86_64 (20181030)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2018-11-27T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:python-test", "p-cpe:/a:fermilab:scientific_linux:python", "p-cpe:/a:fermilab:scientific_linux:python-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-tools", "p-cpe:/a:fermilab:scientific_linux:python-devel", "p-cpe:/a:fermilab:scientific_linux:python-libs", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:tkinter", "p-cpe:/a:fermilab:scientific_linux:python-debug"], "id": "SL_20181030_PYTHON_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/119196", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119196);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/01\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n\n script_name(english:\"Scientific Linux Security Update : python on SL7.x x86_64 (20181030)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - python: DOS via regular expression backtracking in\n difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n - python: DOS via regular expression catastrophic\n backtracking in apop() method in pop3lib (CVE-2018-1060)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=3806\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b529c1b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debuginfo-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-76.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-76.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-17T22:39:47", "description": "An update of the python2 package has been released.", "edition": 8, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Python2 PHSA-2018-2.0-0086", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:python2", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2018-2_0-0086_PYTHON2.NASL", "href": "https://www.tenable.com/plugins/nessus/121985", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0086. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121985);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n\n script_name(english:\"Photon OS 2.0: Python2 PHSA-2018-2.0-0086\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the python2 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-86.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1060\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:python2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-debuginfo-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-debuginfo-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-devel-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-devel-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-libs-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-libs-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-test-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-test-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-tools-2.7.15-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-tools-2.7.15-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T06:56:57", "description": "This update for python3 provides the following fixes :\n\nThese security issues were fixed :\n\nCVE-2018-1061: Prevent catastrophic backtracking in the\ndifflib.IS_LINE_JUNK method. An attacker could have used this flaw to\ncause denial of service (bsc#1088004).\n\nCVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop()\nmethod. An attacker could have used this flaw to cause denial of\nservice (bsc#1088009).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-09-13T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2018:2696-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_4m1_0", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:python3-base-debugsource", "p-cpe:/a:novell:suse_linux:python3-debugsource", "p-cpe:/a:novell:suse_linux:python3", "p-cpe:/a:novell:suse_linux:python3-base-debuginfo", "p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python3-curses", "p-cpe:/a:novell:suse_linux:python3-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base", "p-cpe:/a:novell:suse_linux:python3-debuginfo"], "id": "SUSE_SU-2018-2696-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117478", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2696-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117478);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2018:2696-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for python3 provides the following fixes :\n\nThese security issues were fixed :\n\nCVE-2018-1061: Prevent catastrophic backtracking in the\ndifflib.IS_LINE_JUNK method. An attacker could have used this flaw to\ncause denial of service (bsc#1088004).\n\nCVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop()\nmethod. An attacker could have used this flaw to cause denial of\nservice (bsc#1088009).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088004\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107030\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1060/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1061/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182696-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39816b88\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-1886=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-1886=1\n\nSUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch\nSUSE-SLE-Module-Web-Scripting-12-2018-1886=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-1886=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpython3_4m1_0-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-debugsource-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-debugsource-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython3_4m1_0-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-debugsource-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-curses-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-curses-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-debugsource-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-debugsource-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-curses-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-curses-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-debuginfo-3.4.6-25.16.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-debugsource-3.4.6-25.16.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-01T05:46:29", "description": "An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.", "edition": 22, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-10-31T00:00:00", "title": "RHEL 7 : python (RHSA-2018:3041)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-tools", "p-cpe:/a:redhat:enterprise_linux:python", "p-cpe:/a:redhat:enterprise_linux:python-devel", "p-cpe:/a:redhat:enterprise_linux:tkinter", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:python-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-test", "p-cpe:/a:redhat:enterprise_linux:python-debug", "p-cpe:/a:redhat:enterprise_linux:python-libs"], "id": "REDHAT-RHSA-2018-3041.NASL", "href": "https://www.tenable.com/plugins/nessus/118515", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3041. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118515);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_xref(name:\"RHSA\", value:\"2018:3041\");\n\n script_name(english:\"RHEL 7 : python (RHSA-2018:3041)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: DOS via regular expression backtracking in\ndifflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n* python: DOS via regular expression catastrophic backtracking in\napop() method in pop3lib (CVE-2018-1060)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank the Python security response team for\nreporting these issues.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3395ff0b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1061\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3041\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-debug-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python-debuginfo-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-devel-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python-libs-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-test-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-tools-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"tkinter-2.7.5-76.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-76.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:33:42", "description": "This update for python3 provides the following fixes :\n\nThese security issues were fixed :\n\n - CVE-2018-1061: Prevent catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could have used\n this flaw to cause denial of service (bsc#1088004).\n\n - CVE-2018-1060: Prevent catastrophic backtracking in\n pop3lib's apop() method. An attacker could have used\n this flaw to cause denial of service (bsc#1088009).\n\nThese non-security issues were fixed :\n\n - Sort files and directories when creating tarfile\n archives so that they are created in a more predictable\n way. (bsc#1086001)\n\n - Add -fwrapv to OPTS (bsc#1107030)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 15, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-09-17T00:00:00", "title": "openSUSE Security Update : python3 (openSUSE-2018-1001)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2018-09-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python3", "p-cpe:/a:novell:opensuse:python3-dbm", "p-cpe:/a:novell:opensuse:python3-base-debuginfo", "p-cpe:/a:novell:opensuse:python3-curses", "p-cpe:/a:novell:opensuse:python3-devel-debuginfo", "p-cpe:/a:novell:opensuse:libpython3_4m1_0", "p-cpe:/a:novell:opensuse:python3-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libpython3_4m1_0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:python3-devel", "p-cpe:/a:novell:opensuse:python3-base", "p-cpe:/a:novell:opensuse:python3-tk-debuginfo", "p-cpe:/a:novell:opensuse:python3-32bit", "p-cpe:/a:novell:opensuse:python3-testsuite-debuginfo", "p-cpe:/a:novell:opensuse:python3-dbm-debuginfo", "p-cpe:/a:novell:opensuse:python3-base-debuginfo-32bit", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:python3-curses-debuginfo", "p-cpe:/a:novell:opensuse:python3-tools", "p-cpe:/a:novell:opensuse:python3-base-32bit", "p-cpe:/a:novell:opensuse:python3-doc-pdf", "p-cpe:/a:novell:opensuse:python3-testsuite", "p-cpe:/a:novell:opensuse:libpython3_4m1_0-32bit", "p-cpe:/a:novell:opensuse:python3-idle", "p-cpe:/a:novell:opensuse:python3-tk", "p-cpe:/a:novell:opensuse:python3-debugsource", "p-cpe:/a:novell:opensuse:python3-base-debugsource", "p-cpe:/a:novell:opensuse:python3-debuginfo", "p-cpe:/a:novell:opensuse:libpython3_4m1_0-debuginfo"], "id": "OPENSUSE-2018-1001.NASL", "href": "https://www.tenable.com/plugins/nessus/117516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1001.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117516);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n\n script_name(english:\"openSUSE Security Update : python3 (openSUSE-2018-1001)\");\n script_summary(english:\"Check for the openSUSE-2018-1001 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for python3 provides the following fixes :\n\nThese security issues were fixed :\n\n - CVE-2018-1061: Prevent catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could have used\n this flaw to cause denial of service (bsc#1088004).\n\n - CVE-2018-1060: Prevent catastrophic backtracking in\n pop3lib's apop() method. An attacker could have used\n this flaw to cause denial of service (bsc#1088009).\n\nThese non-security issues were fixed :\n\n - Sort files and directories when creating tarfile\n archives so that they are created in a more predictable\n way. (bsc#1086001)\n\n - Add -fwrapv to OPTS (bsc#1107030)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088004\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107030\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_4m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_4m1_0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_4m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_4m1_0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-dbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-dbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-doc-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-testsuite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libpython3_4m1_0-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-base-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-base-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-base-debugsource-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-curses-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-curses-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-dbm-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-dbm-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-debugsource-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-devel-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-devel-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-doc-pdf-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-idle-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-testsuite-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-testsuite-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-tk-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-tk-debuginfo-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"python3-tools-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-32bit-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-32bit-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python3-32bit-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-32bit-3.4.6-12.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"python3-debuginfo-32bit-3.4.6-12.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpython3_4m1_0 / libpython3_4m1_0-32bit / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T08:54:42", "description": "According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - python: DOS via regular expression backtracking in\n difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n - python: DOS via regular expression catastrophic\n backtracking in apop() method in pop3lib\n (CVE-2018-1060)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-03-08T00:00:00", "title": "EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1072)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2019-03-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:tkinter", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1072.NASL", "href": "https://www.tenable.com/plugins/nessus/122695", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122695);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-1060\",\n \"CVE-2018-1061\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1072)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - python: DOS via regular expression backtracking in\n difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\n - python: DOS via regular expression catastrophic\n backtracking in apop() method in pop3lib\n (CVE-2018-1060)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1072\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?da000b13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-69.h7.eulerosv2r7\",\n \"python-devel-2.7.5-69.h7.eulerosv2r7\",\n \"python-libs-2.7.5-69.h7.eulerosv2r7\",\n \"tkinter-2.7.5-69.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T08:55:18", "description": "According to the versions of the python packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in the way catastrophic backtracking\n was implemented in python's pop3lib's apop() method. An\n attacker could use this flaw to cause denial of\n service.i1/4^CVE-2018-1060i1/4%0\n\n - A flaw was found in the way catastrophic backtracking\n was implemented in python's difflib.IS_LINE_JUNK\n method. An attacker could use this flaw to cause denial\n of service.i1/4^CVE-2018-1061i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 11, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-04-04T00:00:00", "title": "EulerOS Virtualization 2.5.4 : python (EulerOS-SA-2019-1248)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "modified": "2019-04-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:tkinter", "p-cpe:/a:huawei:euleros:python-tools", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "cpe:/o:huawei:euleros:uvp:2.5.4"], "id": "EULEROS_SA-2019-1248.NASL", "href": "https://www.tenable.com/plugins/nessus/123716", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123716);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-1060\",\n \"CVE-2018-1061\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.4 : python (EulerOS-SA-2019-1248)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in the way catastrophic backtracking\n was implemented in python's pop3lib's apop() method. An\n attacker could use this flaw to cause denial of\n service.i1/4^CVE-2018-1060i1/4%0\n\n - A flaw was found in the way catastrophic backtracking\n was implemented in python's difflib.IS_LINE_JUNK\n method. An attacker could use this flaw to cause denial\n of service.i1/4^CVE-2018-1061i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1248\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f638de7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.4\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.4\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-69.h7\",\n \"python-devel-2.7.5-69.h7\",\n \"python-libs-2.7.5-69.h7\",\n \"python-tools-2.7.5-69.h7\",\n \"tkinter-2.7.5-69.h7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-11-13T20:07:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "This host is installed with python and is\n prone to multiple denial of service vulnerabilities.", "modified": "2019-11-12T00:00:00", "published": "2018-06-26T00:00:00", "id": "OPENVAS:1361412562310813546", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813546", "type": "openvas", "title": "Python Multiple Denial of Service Vulnerabilities June18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Python Multiple Denial of Service Vulnerabilities June18 (Windows)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:python:python\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813546\");\n script_version(\"2019-11-12T13:34:01+0000\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 13:34:01 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-26 13:48:30 +0530 (Tue, 26 Jun 2018)\");\n script_name(\"Python Multiple Denial of Service Vulnerabilities June18 (Windows)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_python_detect_win.nasl\");\n script_mandatory_keys(\"python/win/detected\");\n\n script_xref(name:\"URL\", value:\"https://bugs.python.org/issue32981\");\n script_xref(name:\"URL\", value:\"https://docs.python.org/3.6/whatsnew/changelog.html\");\n script_xref(name:\"URL\", value:\"https://docs.python.org/3.7/whatsnew/changelog.html\");\n script_xref(name:\"URL\", value:\"https://www.python.org\");\n\n script_tag(name:\"summary\", value:\"This host is installed with python and is\n prone to multiple denial of service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Failing to sanitize against backtracking in pop3lib's apop method.\n\n - Failing to sanitize against backtracking in 'difflib.IS_LINE_JUNK' method.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct denial of service attack on the affected user.\");\n\n script_tag(name:\"affected\", value:\"Python before versions 2.7.15, 3.4.9, 3.5.6\n and 3.7.0.beta3 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Python 2.7.15 or 3.4.9 or 3.5.6\n or 3.7.0.beta3.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npVer = infos['version'];\npPath = infos['location'];\n\n##2.7.15 == 2.7.15150\nif(version_is_less(version:pVer, test_version:\"2.7.15150\")){\n fix = \"2.7.15\";\n}\n\n#Versions 3.4.9 and 3.5.6 can't be verified because of unavailability of downloads\n#else if(version_in_range(version: pVer, test_version: \"3.4.0\", test_version2: \"3.4.16789\"))\n#{\n# report = report_fixed_ver(installed_version:pVer, fixed_version:\"3.4.9\", install_path:pPath);\n# security_message(data:report);\n# exit(0);\n#}\n#\n#else if(version_in_range(version: pVer, test_version: \"3.5.0\", test_version2: \"3.5.4121.0\"))\n#{\n# report = report_fixed_ver(installed_version:pVer, fixed_version:\"3.5.6\", install_path:pPath);\n# security_message(data:report);\n# exit(0);\n#}\n\n#Version 3.6.4 = 3.6.4150.0\nelse if(version_in_range(version: pVer, test_version: \"3.6.0\", test_version2: \"3.6.4150.0\")){\n fix = \"3.6.5\";\n}\n\n#Version 3.7.0.b3 = 3.7.133.0\nelse if(version_is_greater(version: pVer, test_version: \"3.7.0\") && version_is_less(version: pVer, test_version: \"3.7.133.0\")){\n fix = \"3.7.0 beta 3\";\n}\n\nif(fix){\n report = report_fixed_ver(installed_version:pVer, fixed_version:fix, install_path:pPath);\n security_message(data:report);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-13T20:07:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "This host is installed with python and is\n prone to multiple denial of service vulnerabilities.", "modified": "2019-11-12T00:00:00", "published": "2018-06-28T00:00:00", "id": "OPENVAS:1361412562310813547", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813547", "type": "openvas", "title": "Python Multiple Denial of Service Vulnerabilities June18 (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Python Multiple Denial of Service Vulnerabilities June18 (Mac OS X)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:python:python\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813547\");\n script_version(\"2019-11-12T13:45:36+0000\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 13:45:36 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-28 18:47:01 +0530 (Thu, 28 Jun 2018)\");\n script_name(\"Python Multiple Denial of Service Vulnerabilities June18 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with python and is\n prone to multiple denial of service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Failing to sanitize against backtracking in pop3lib's apop method.\n\n - Failing to sanitize against backtracking in 'difflib.IS_LINE_JUNK' method.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct denial of service attack on the affected user.\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_tag(name:\"affected\", value:\"Python before versions 2.7.15, 3.4.9, 3.5.6\n and 3.7.0.beta3 on Mac OS X\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Python 2.7.15 or 3.4.9 or 3.5.6\n or 3.7.0.beta3. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://bugs.python.org/issue32981\");\n script_xref(name:\"URL\", value:\"https://docs.python.org/3.6/whatsnew/changelog.html\");\n script_xref(name:\"URL\", value:\"https://docs.python.org/3.7/whatsnew/changelog.html\");\n script_xref(name:\"URL\", value:\"https://www.python.org\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_python_detect_macosx.nasl\");\n script_mandatory_keys(\"python/macosx/detected\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npVer = infos['version'];\npPath = infos['location'];\n\n##2.7.15 == 2.7.15150\nif(version_is_less(version:pVer, test_version:\"2.7.15150\")){\n fix = \"2.7.15\";\n}\n\n#Versions 3.4.9 and 3.5.6 can't be verified because of unavailability of downloads\n#else if(version_in_range(version: pVer, test_version: \"3.4.0\", test_version2: \"3.4.16789\"))\n#{\n# report = report_fixed_ver(installed_version:pVer, fixed_version:\"3.4.9\", install_path:pPath);\n# security_message(data:report);\n# exit(0);\n#}\n#\n#else if(version_in_range(version: pVer, test_version: \"3.5.0\", test_version2: \"3.5.4121.0\"))\n#{\n# report = report_fixed_ver(installed_version:pVer, fixed_version:\"3.5.6\", install_path:pPath);\n# security_message(data:report);\n# exit(0);\n#}\n\n#Version 3.6.4 = 3.6.4150.0\nelse if(version_in_range(version: pVer, test_version: \"3.6.0\", test_version2: \"3.6.4150.0\")){\n fix = \"3.6.5\";\n}\n\n#Version 3.7.0.b3 = 3.7.133.0\nelse if(version_is_greater(version: pVer, test_version: \"3.7.0\") && version_is_less(version: pVer, test_version: \"3.7.133.0\")){\n fix = \"3.7.0 beta 3\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:pVer, fixed_version:fix, install_path:pPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-10T00:00:00", "id": "OPENVAS:1361412562310874351", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874351", "type": "openvas", "title": "Fedora Update for python3-docs FEDORA-2018-a042f795b2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_a042f795b2_python3-docs_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python3-docs FEDORA-2018-a042f795b2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874351\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-10 08:56:09 +0200 (Tue, 10 Apr 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python3-docs FEDORA-2018-a042f795b2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3-docs'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3-docs on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-a042f795b2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NIP7KL6OITRSKD2LO4VQCLV2SRW7SOM\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3-docs\", rpm:\"python3-docs~3.6.5~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:35:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191072", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191072", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1072)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1072\");\n script_version(\"2020-01-23T11:30:08+0000\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:30:08 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:30:08 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1072)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1072\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1072\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1072 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061)\n\npython: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060)\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~69.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~69.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~69.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~69.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-10T00:00:00", "id": "OPENVAS:1361412562310874352", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874352", "type": "openvas", "title": "Fedora Update for python3-docs FEDORA-2018-aa8de9d66a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_aa8de9d66a_python3-docs_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python3-docs FEDORA-2018-aa8de9d66a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874352\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-10 08:56:13 +0200 (Tue, 10 Apr 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python3-docs FEDORA-2018-aa8de9d66a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3-docs'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3-docs on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-aa8de9d66a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDMMBWQZXBVWXGLL7BXKYZOWV4TYDOQR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3-docs\", rpm:\"python3-docs~3.6.5~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:35:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191246", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191246", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1246)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1246\");\n script_version(\"2020-01-23T11:36:19+0000\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:36:19 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:36:19 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1246)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1246\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1246\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1246 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service.CVE-2018-1060\n\nA flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.CVE-2018-1061\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS Virtualization 2.5.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~58.h10\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~58.h10\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~58.h10\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tools\", rpm:\"python-tools~2.7.5~58.h10\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~58.h10\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:33:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-10T00:00:00", "id": "OPENVAS:1361412562310874355", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874355", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2018-a042f795b2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_a042f795b2_python3_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python3 FEDORA-2018-a042f795b2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874355\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-10 08:56:28 +0200 (Tue, 10 Apr 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python3 FEDORA-2018-a042f795b2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-a042f795b2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCVDPYS7WEXGSBKZEHCXRPDAZ3ZKV6AU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.6.5~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-10T00:00:00", "id": "OPENVAS:1361412562310874353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874353", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2018-aa8de9d66a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_aa8de9d66a_python3_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python3 FEDORA-2018-aa8de9d66a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874353\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-10 08:56:18 +0200 (Tue, 10 Apr 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python3 FEDORA-2018-aa8de9d66a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-aa8de9d66a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/64V43ZPWENW3KHGSUC3P24WVLPTYWKJX\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.6.5~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-10T00:00:00", "id": "OPENVAS:1361412562310874347", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874347", "type": "openvas", "title": "Fedora Update for python-pip FEDORA-2018-a042f795b2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_a042f795b2_python-pip_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python-pip FEDORA-2018-a042f795b2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874347\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-10 08:55:50 +0200 (Tue, 10 Apr 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python-pip FEDORA-2018-a042f795b2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-pip'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python-pip on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-a042f795b2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AKUSRCOCVGKC5KQ2LQUFXX2R5HC4XHWL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-pip\", rpm:\"python-pip~9.0.3~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T17:39:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1060", "CVE-2018-1061"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310851890", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851890", "type": "openvas", "title": "openSUSE: Security Advisory for python3 (openSUSE-SU-2018:2712-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851890\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-15 07:24:32 +0200 (Sat, 15 Sep 2018)\");\n script_cve_id(\"CVE-2018-1060\", \"CVE-2018-1061\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for python3 (openSUSE-SU-2018:2712-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for python3 provides the following fixes:\n\n These security issues were fixed:\n\n - CVE-2018-1061: Prevent catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could have used this flaw to\n cause denial of service (bsc#1088004).\n\n - CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop()\n method. An attacker could have used this flaw to cause denial of service\n (bsc#1088009).\n\n These non-security issues were fixed:\n\n - Sort files and directories when creating tarfile archives so that they\n are created in a more predictable way. (bsc#1086001)\n\n - Add -fwrapv to OPTS (bsc#1107030)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-1001=1\");\n\n script_tag(name:\"affected\", value:\"python3 on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2712-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00024.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_4m1_0\", rpm:\"libpython3_4m1_0~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_4m1_0-debuginfo\", rpm:\"libpython3_4m1_0-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base\", rpm:\"python3-base~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-debuginfo\", rpm:\"python3-base-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-debugsource\", rpm:\"python3-base-debugsource~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-curses\", rpm:\"python3-curses~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-curses-debuginfo\", rpm:\"python3-curses-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-dbm\", rpm:\"python3-dbm~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-dbm-debuginfo\", rpm:\"python3-dbm-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-debuginfo\", rpm:\"python3-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-debugsource\", rpm:\"python3-debugsource~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-devel\", rpm:\"python3-devel~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-devel-debuginfo\", rpm:\"python3-devel-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-idle\", rpm:\"python3-idle~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-testsuite\", rpm:\"python3-testsuite~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-testsuite-debuginfo\", rpm:\"python3-testsuite-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tk\", rpm:\"python3-tk~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tk-debuginfo\", rpm:\"python3-tk-debuginfo~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tools\", rpm:\"python3-tools~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_4m1_0-32bit\", rpm:\"libpython3_4m1_0-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_4m1_0-debuginfo-32bit\", rpm:\"libpython3_4m1_0-debuginfo-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-32bit\", rpm:\"python3-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-32bit\", rpm:\"python3-base-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-debuginfo-32bit\", rpm:\"python3-base-debuginfo-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-debuginfo-32bit\", rpm:\"python3-debuginfo-32bit~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-doc\", rpm:\"python3-doc~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-doc-pdf\", rpm:\"python3-doc-pdf~3.4.6~12.6.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:11:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2183", "CVE-2018-1060", "CVE-2018-1061"], "description": "[2.7.5-76.0.1]\n- Add Oracle Linux distribution in platform.py [orabug 20812544]\n[2.7.5-76]\n- Remove an unversioned obsoletes tag\nResolves: rhbz#1627059\n[2.7.5-75]\n- Provide the /usr/libexec/platform-python symlink to the main binary\nResolves: rhbz#1599159\n[2.7.5-74]\n- Fix OSERROR 17 due to _multiprocessing/semaphore.c assuming\n a one-to-one Pid -> process mapping\nResolves: rhbz#1579432\n[2.7.5-73]\n- Remove 3DS cipher to mitigate CVE-2016-2183 (sweet32).\nResolves: rhbz#1581901\n[2.7.5-72]\n- Fix CVE-2018-1060 and CVE-2018-1061\nResolves: rhbz#1563454 and rhbz#1549192\n- Provide python2-libs from the python-libs subpackage\nResolves: rhbz#1557460\n[2.7.5-71]\n- Limit the number of CPU cores when building the package on power architectures\nResolves: rhbz#1568974\n[2.7.5-70]\n- Do not send IP addresses in SNI TLS extension\nResolves: rhbz#1555314", "edition": 3, "modified": "2018-11-05T00:00:00", "published": "2018-11-05T00:00:00", "id": "ELSA-2018-3041", "href": "http://linux.oracle.com/errata/ELSA-2018-3041.html", "title": "python security and bug fix update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:05:29", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2017-1000158"], "description": "Package : python3.4\nVersion : 3.4.2-1+deb8u1\nCVE ID : CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802\n\nMultiple vulnerabilities were found in the CPython interpreter which\ncan cause denial of service, information gain, and arbitrary code\nexecution.\n\nCVE-2017-1000158\n\n CPython (aka Python) is vulnerable to an integer overflow in the\n PyString_DecodeEscape function in stringobject.c, resulting in\n heap-based buffer overflow (and possible arbitrary code execution)\n\nCVE-2018-1060\n\n python is vulnerable to catastrophic backtracking in pop3lib's\n apop() method. An attacker could use this flaw to cause denial of\n service.\n\nCVE-2018-1061\n\n python is vulnerable to catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could use this flaw to\n cause denial of service.\n\nCVE-2018-1000802\n\n Python Software Foundation Python (CPython) version 2.7 contains a\n CWE-77: Improper Neutralization of Special Elements used in a\n Command ('Command Injection') vulnerability in shutil module\n (make_archive function) that can result in Denial of service,\n Information gain via injection of arbitrary files on the system or\n entire drive. This attack appear to be exploitable via Passage of\n unfiltered user input to the function.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.4.2-1+deb8u1.\n\nWe recommend that you upgrade your python3.4 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 8, "modified": "2018-09-26T00:27:03", "published": "2018-09-26T00:27:03", "id": "DEBIAN:DLA-1520-1:70B85", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00031.html", "title": "[SECURITY] [DLA 1520-1] python3.4 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:28", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2017-1000158"], "description": "Package : python2.7\nVersion : 2.7.9-2+deb8u2\nCVE ID : CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802\n\nMultiple vulnerabilities were found in the CPython interpreter which\ncan cause denial of service, information gain, and arbitrary code\nexecution.\n\nCVE-2017-1000158\n\n CPython (aka Python) is vulnerable to an integer overflow in the\n PyString_DecodeEscape function in stringobject.c, resulting in\n heap-based buffer overflow (and possible arbitrary code execution)\n\nCVE-2018-1060\n\n python is vulnerable to catastrophic backtracking in pop3lib's\n apop() method. An attacker could use this flaw to cause denial of\n service.\n\nCVE-2018-1061\n\n python is vulnerable to catastrophic backtracking in the\n difflib.IS_LINE_JUNK method. An attacker could use this flaw to\n cause denial of service.\n\nCVE-2018-1000802\n\n Python Software Foundation Python (CPython) version 2.7 contains a\n CWE-77: Improper Neutralization of Special Elements used in a\n Command ('Command Injection') vulnerability in shutil module\n (make_archive function) that can result in Denial of service,\n Information gain via injection of arbitrary files on the system or\n entire drive. This attack appear to be exploitable via Passage of\n unfiltered user input to the function.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.7.9-2+deb8u2.\n\nWe recommend that you upgrade your python2.7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n", "edition": 6, "modified": "2018-09-25T23:47:52", "published": "2018-09-25T23:47:52", "id": "DEBIAN:DLA-1519-1:1A158", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00030.html", "title": "[SECURITY] [DLA 1519-1] python2.7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:57", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2017-1000158"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4307-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 28, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python3.5\nCVE ID : CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061\n CVE-2018-14647\n\nMultiple security issues were discovered in Python: ElementTree failed\nto initialise Expat's hash salt, two denial of service issues were found\nin difflib and poplib and a buffer overflow in PyString_DecodeEscape.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 3.5.3-1+deb9u1.\n\nWe recommend that you upgrade your python3.5 packages.\n\nFor the detailed security status of python3.5 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python3.5\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2018-09-28T19:18:22", "published": "2018-09-28T19:18:22", "id": "DEBIAN:DSA-4307-1:C7B50", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00238.html", "title": "[SECURITY] [DSA 4307-1] python3.5 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:01:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4306-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 27, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python2.7\nCVE ID : CVE-2018-1060 CVE-2018-1061 CVE-2018-14647\n CVE-2018-1000802\n\nMultiple security issues were discovered in Python: ElementTree failed\nto initialise Expat's hash salt, two denial of service issues were found\nin difflib and poplib and the shutil module was affected by a command\ninjection vulnerability.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.7.13-2+deb9u3.\n\nWe recommend that you upgrade your python2.7 packages.\n\nFor the detailed security status of python2.7 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python2.7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2018-09-27T21:05:52", "published": "2018-09-27T21:05:52", "id": "DEBIAN:DSA-4306-1:95510", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00237.html", "title": "[SECURITY] [DSA 4306-1] python2.7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:04", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000030", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647"], "description": "USN-3817-1 fixed a vulnerability in Python. This update provides \nthe corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nIt was discovered that Python incorrectly handled large amounts of data. A \nremote attacker could use this issue to cause Python to crash, resulting in \na denial of service, or possibly execute arbitrary code. (CVE-2018-1000030)\n\nIt was discovered that Python incorrectly handled running external commands \nin the shutil module. A remote attacker could use this issue to cause \nPython to crash, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2018-1000802)\n\nIt was discovered that Python incorrectly used regular expressions \nvulnerable to catastrophic backtracking. A remote attacker could possibly \nuse this issue to cause a denial of service. (CVE-2018-1060, CVE-2018-1061)\n\nIt was discovered that Python failed to initialize Expat's hash salt. A \nremote attacker could possibly use this issue to cause hash collisions, \nleading to a denial of service. (CVE-2018-14647)", "edition": 5, "modified": "2018-11-15T00:00:00", "published": "2018-11-15T00:00:00", "id": "USN-3817-2", "href": "https://ubuntu.com/security/notices/USN-3817-2", "title": "Python vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:45:16", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1000030", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647"], "description": "It was discovered that Python incorrectly handled large amounts of data. A \nremote attacker could use this issue to cause Python to crash, resulting in \na denial of service, or possibly execute arbitrary code. This issue only \naffected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1000030)\n\nIt was discovered that Python incorrectly handled running external commands \nin the shutil module. A remote attacker could use this issue to cause \nPython to crash, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2018-1000802)\n\nIt was discovered that Python incorrectly used regular expressions \nvulnerable to catastrophic backtracking. A remote attacker could possibly \nuse this issue to cause a denial of service. This issue only affected \nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1060, CVE-2018-1061)\n\nIt was discovered that Python failed to initialize Expat's hash salt. A \nremote attacker could possibly use this issue to cause hash collisions, \nleading to a denial of service. (CVE-2018-14647)", "edition": 4, "modified": "2018-11-13T00:00:00", "published": "2018-11-13T00:00:00", "id": "USN-3817-1", "href": "https://ubuntu.com/security/notices/USN-3817-1", "title": "Python vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:45", "bulletinFamily": "software", "cvelist": ["CVE-2018-1000030", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n# Description\n\nIt was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1000030)\n\nIt was discovered that Python incorrectly handled running external commands in the shutil module. A remote attacker could use this issue to cause Python to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-1000802)\n\nIt was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-1060, CVE-2018-1061)\n\nIt was discovered that Python failed to initialize Expat\u2019s hash salt. A remote attacker could possibly use this issue to cause hash collisions, leading to a denial of service. (CVE-2018-14647)\n\nCVEs contained in this USN include: CVE-2018-1000030, CVE-2018-1000802, CVE-2018-1060, CVE-2018-1061, CVE-2018-14647\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.56\n * 3541.x versions prior to 3541.60\n * 3468.x versions prior to 3468.86\n * 3445.x versions prior to 3445.82\n * 3421.x versions prior to 3421.99\n * All other stemcells not listed.\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.6\n * 97.x versions prior to 97.33\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.249.0\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.38.0\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.56\n * Upgrade 3541.x versions to 3541.60\n * Upgrade 3468.x versions to 3468.86\n * Upgrade 3445.x versions to 3445.82\n * Upgrade 3421.x versions to 3421.99\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.6\n * Upgrade 97.x versions to 97.33\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.249.0 or later.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.38.0 or later.\n\n# References\n\n * [USN-3817-1](<https://usn.ubuntu.com/3817-1>)\n * [CVE-2018-1000030](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000030>)\n * [CVE-2018-1000802](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000802>)\n * [CVE-2018-1060](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1060>)\n * [CVE-2018-1061](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1061>)\n * [CVE-2018-14647](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14647>)\n", "edition": 3, "modified": "2018-11-20T00:00:00", "published": "2018-11-20T00:00:00", "id": "CFOUNDRY:C7368B69703D2F78B11155E4CE99EC4C", "href": "https://www.cloudfoundry.org/blog/usn-3817-1/", "title": "USN-3817-1: Python vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}