{"id":"MGASA-2018-0495","summary":"Updated python packages fix security vulnerabilities","details":"Possible denial of service vulnerability due to a missing check in\nLib/wave.py to verify that at least one channel is provided\n(CVE-2017-18207).\n\nPython's elementtree C accelerator failed to initialise Expat's hash\nsalt during initialization. This could make it easy to conduct denial of\nservice attacks against Expat by contructing an XML document that would\ncause pathological hash collisions in Expat's internal data structures,\nconsuming large amounts CPU and RAM (CVE-2018-14647).\n\nIt was discovered that the shutil module of python does not properly\nsanitize input when creating a zip file on Windows. An attacker could\nuse this flaw to cause a denial of service or add unintended files to\nthe generated archive (CVE-2018-1000802).\n","modified":"2026-01-30T07:03:54.518900Z","published":"2018-12-31T22:42:09Z","related":["CVE-2017-18207","CVE-2018-1000802","CVE-2018-14647"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0495.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23061"},{"type":"REPORT","url":"https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/"}],"affected":[{"package":{"name":"python","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/python?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.15-1.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0495.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}