Bug 1088009 - (CVE-2018-1060) VUL-1: CVE-2018-1060: python,python3: DOS via regular expression catastrophic backtracking in apop() method in pop3lib
(CVE-2018-1060)
VUL-1: CVE-2018-1060: python,python3: DOS via regular expression catastrophic...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/203074/
CVSSv3:SUSE:CVE-2018-1060:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-04 06:30 UTC by Marcus Meissner
Modified: 2022-06-10 08:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-04-04 06:30:58 UTC
Catastrophic backtracking vulnerability was found in Python. Exploitation of a regular expression in pop3lib's apop() method although limited by 2048 chars, can lead to denial of service.

Upstream issue:

https://bugs.python.org/issue32981

Patch and testcase:

https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac
Comment 6 Swamp Workflow Management 2018-08-17 13:08:36 UTC
SUSE-SU-2018:2408-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1086001,1088004,1088009,985177
CVE References: CVE-2016-5636,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1, python-doc-2.6-8.40.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    python-2.6.9-40.15.1, python-base-2.6.9-40.15.1
Comment 8 Swamp Workflow Management 2018-09-12 13:08:41 UTC
SUSE-SU-2018:2696-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1107030
CVE References: CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python3-3.4.6-25.16.1, python3-base-3.4.6-25.16.1
Comment 9 Swamp Workflow Management 2018-09-14 16:08:40 UTC
openSUSE-SU-2018:2712-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1107030
CVE References: CVE-2018-1060,CVE-2018-1061
Sources used:
openSUSE Leap 42.3 (src):    python3-3.4.6-12.6.1, python3-base-3.4.6-12.6.1, python3-doc-3.4.6-12.6.1
Comment 11 Swamp Workflow Management 2018-10-29 20:14:19 UTC
SUSE-SU-2018:3554-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.16.1
SUSE CaaS Platform ALL (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
Comment 12 Swamp Workflow Management 2018-11-09 23:21:03 UTC
openSUSE-SU-2018:3703-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.9.1, python-base-2.7.13-27.9.1, python-doc-2.7.13-27.9.1
Comment 13 Swamp Workflow Management 2018-12-10 17:26:24 UTC
SUSE-SU-2018:3554-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
Comment 20 Swamp Workflow Management 2020-01-16 14:13:37 UTC
SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-01-21 20:16:07 UTC
openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1
Comment 22 Swamp Workflow Management 2020-01-24 20:13:04 UTC
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-02-03 17:13:00 UTC
SUSE-SU-2020:0302-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1081750,1083507,1086001,1088009,1094814,1109663,1137942,1138459,1141853,1149121,1149429,1149792,1149955,1151490,1159035,1159622,709442,951166,983582
CVE References: CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.3.5, python36-base-3.6.10-4.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2020-09-21 19:15:41 UTC
SUSE-SU-2020:2699-1: An update that solves 7 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1088004,1088009,1130840,1141853,1149955,1153238,1162423,1173274,1174091,1174701
CVE References: CVE-2018-14647,CVE-2018-20852,CVE-2019-16056,CVE-2019-16935,CVE-2019-20907,CVE-2019-9947,CVE-2020-14422
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
SUSE Enterprise Storage 5 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1
HPE Helion Openstack 8 (src):    python3-3.4.10-25.52.1, python3-base-3.4.10-25.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 OBSbugzilla Bot 2020-11-27 16:41:20 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36
Comment 39 OBSbugzilla Bot 2020-12-01 18:21:15 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36
Comment 41 OBSbugzilla Bot 2020-12-05 17:31:16 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36
Comment 42 OBSbugzilla Bot 2020-12-05 19:11:19 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36
Comment 45 OBSbugzilla Bot 2020-12-17 18:11:20 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36
Comment 46 OBSbugzilla Bot 2021-10-06 14:41:27 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36
Comment 47 OBSbugzilla Bot 2021-10-22 08:41:27 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36
Comment 48 OBSbugzilla Bot 2022-02-06 22:30:28 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 49 OBSbugzilla Bot 2022-02-09 19:10:31 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 50 Gabriele Sonnu 2022-05-16 12:59:14 UTC
Done
Comment 51 OBSbugzilla Bot 2022-06-10 08:40:28 UTC
This is an autogenerated message for OBS integration:
This bug (1088009) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python