python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. https://bugs.python.org/issue32981 https://python-security.readthedocs.io/vuln/cve-2018-1060_difflib_and_poplib_catastrophic_backtracking.html Test: $ wget -q https://raw.githubusercontent.com/python/cpython/0e6c8ee2358a2e23117501826c008842acb835ac/Lib/test/test_difflib.py $ python3 --version Python 3.4.8 $ python3.5 --version Python 3.5.5 $ python3 test_difflib.py [...] test_is_character_junk_false (__main__.TestJunkAPIs) ... ok test_is_character_junk_true (__main__.TestJunkAPIs) ... ok test_is_line_junk_REDOS (__main__.TestJunkAPIs) ... [hang] The currently-shipped Python 3.6.5 appears to not be affected.
dev-lang/python-3.4* is masked for removal due to being EOL.