Bug 1123996 - (CVE-2017-18361) VUL-1: CVE-2017-18361: python-colander: The URL validator allows an attacker to potentially cause DOS
(CVE-2017-18361)
VUL-1: CVE-2017-18361: python-colander: The URL validator allows an attacker ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/224025/
obs:running:11823:moderate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-01 13:18 UTC by Alexandros Toptsoglou
Modified: 2021-01-27 10:40 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-02-01 13:18:26 UTC
CVE-2017-18361

In Pylons Colander through 1.6, the URL validator allows an attacker to
potentially cause an infinite loop thereby causing a denial of service via an
unclosed parenthesis.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18361
https://github.com/Pylons/colander/pull/323
https://github.com/Pylons/colander/issues/290
Comment 1 Alexandros Toptsoglou 2019-02-01 13:19:24 UTC
Factory currently has version 1.4 which is also affected.
Comment 2 Matej Cepl 2019-02-15 12:51:22 UTC
Fixed in 1.7.0 which is currently on the way to Factory, and Leap 15.1:Update should feed from the Factory as well.
Comment 3 Matej Cepl 2019-02-15 12:52:12 UTC
To be exact https://build.opensuse.org/request/show/672756
Comment 4 Wolfgang Frisch 2020-01-16 15:08:52 UTC
Leap 15.1 is still at version 1.4, which is tracked as vulnerable.
Comment 5 Matej Cepl 2020-01-19 07:37:20 UTC
https://build.opensuse.org/request/show/765544 should bring correct *.changes to Factory, and when it is accepted, I will send request to openSUSE:Leap:15.1 as well.
Comment 6 Matej Cepl 2020-01-20 00:19:35 UTC
https://build.opensuse.org/request/show/765651 should be the solution for this bug.
Comment 7 Alexandros Toptsoglou 2021-01-27 10:40:50 UTC
Leap 15.2 is fixed. Leap 15.1 is not. Leap 15.1  enters EOL in the next days. Closing