CVE-2021-29921

Name	CVE-2021-29921
Description	In Python before 3,9,5, the ipaddress library mishandles leading zero ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3980-1
Debian Bugs	989195

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	fixed
	bullseye (security)	7.3.5+dfsg-2+deb11u5	fixed
	bookworm	7.3.11+dfsg-2+deb12u3	fixed
	trixie	7.3.19+dfsg-2	fixed
	forky, sid	7.3.21+dfsg-4	fixed
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	fixed
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
pypy3	source	bullseye	(not affected)
pypy3	source	(unstable)	7.3.8+dfsg-1
python2.7	source	(unstable)	(not affected)
python3.9	source	experimental	3.9.5-1
python3.9	source	bullseye	3.9.2-1+deb11u2	DLA-3980-1
python3.9	source	(unstable)	3.9.7-1		989195

Notes

- python2.7 <not-affected> (Vulnerable code introduced later)
[buster] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code introduced later)
https://bugs.python.org/issue36384#msg392423
https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1)
https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5)
Introduced by: https://github.com/python/cpython/commit/e653d4d8e820a7a004ad399530af0135b45db27a (v3.8.0a4)