CVE-2021-4189

NameCVE-2021-4189
DescriptionA flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2919-1, DLA-3432-1, DLA-3477-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypy3 (PTS)bullseye (security), bullseye7.3.5+dfsg-2+deb11u2vulnerable
bookworm7.3.11+dfsg-2+deb12u2fixed
sid, trixie7.3.17+dfsg-2fixed
python2.7 (PTS)bullseye2.7.18-8+deb11u1vulnerable
python3.9 (PTS)bullseye3.9.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypy3source(unstable)7.3.8+dfsg-1
python2.7sourceexperimental2.7.18-13.1~exp1
python2.7sourcestretch2.7.13-2+deb9u6DLA-2919-1
python2.7sourcebuster2.7.16-2+deb10u2DLA-3432-1
python2.7source(unstable)2.7.18-13.1
python3.10source(unstable)(not affected)
python3.5source(unstable)(unfixed)
python3.7sourcebuster3.7.3-2+deb10u5DLA-3477-1
python3.7source(unstable)(unfixed)
python3.9source(unstable)3.9.7-1

Notes

- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
[bullseye] - python3.9 <no-dsa> (Minor issue)
[stretch] - python3.5 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
https://bugs.python.org/issue43285
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33 (v3.7.11)
https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88 (v3.6.14)
https://bugzilla.redhat.com/show_bug.cgi?id=2036020

Search for package or bug name: Reporting problems