CVE-2021-4189

NameCVE-2021-4189
DescriptionA flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2919-1, DLA-3432-1, DLA-3477-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)buster2.7.16-2+deb10u1vulnerable
buster (security)2.7.16-2+deb10u3fixed
bullseye2.7.18-8+deb11u1vulnerable
python3.10 (PTS)sid3.10.13-1fixed
python3.7 (PTS)buster3.7.3-2+deb10u3vulnerable
buster (security)3.7.3-2+deb10u6fixed
python3.9 (PTS)bullseye3.9.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.7sourceexperimental2.7.18-13.1~exp1
python2.7sourcestretch2.7.13-2+deb9u6DLA-2919-1
python2.7sourcebuster2.7.16-2+deb10u2DLA-3432-1
python2.7source(unstable)2.7.18-13.1
python3.10source(unstable)(not affected)
python3.5source(unstable)(unfixed)
python3.7sourcebuster3.7.3-2+deb10u5DLA-3477-1
python3.7source(unstable)(unfixed)
python3.9source(unstable)3.9.7-1

Notes

- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
[bullseye] - python3.9 <no-dsa> (Minor issue)
[stretch] - python3.5 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
https://bugs.python.org/issue43285
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33 (v3.7.11)
https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88 (v3.6.14)
https://bugzilla.redhat.com/show_bug.cgi?id=2036020

Search for package or bug name: Reporting problems