CVE-2021-4189

NameCVE-2021-4189
DescriptionA flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2919-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)buster2.7.16-2+deb10u1vulnerable
bullseye2.7.18-8vulnerable
bookworm, sid2.7.18-13.2fixed
python3.10 (PTS)bookworm, sid3.10.8-3fixed
python3.7 (PTS)buster3.7.3-2+deb10u3vulnerable
buster (security)3.7.3-2+deb10u4vulnerable
python3.9 (PTS)bullseye3.9.2-1vulnerable
sid3.9.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.7sourceexperimental2.7.18-13.1~exp1
python2.7sourcestretch2.7.13-2+deb9u6DLA-2919-1
python2.7source(unstable)2.7.18-13.1
python3.10source(unstable)(not affected)
python3.5source(unstable)(unfixed)
python3.7source(unstable)(unfixed)
python3.9source(unstable)3.9.7-1

Notes

- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
[bullseye] - python3.9 <no-dsa> (Minor issue)
[buster] - python3.7 <no-dsa> (Minor issue)
[stretch] - python3.5 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
[buster] - python2.7 <no-dsa> (Minor issue)
https://bugs.python.org/issue43285
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33 (v3.7.11)
https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88 (v3.6.14)
https://bugzilla.redhat.com/show_bug.cgi?id=2036020

Search for package or bug name: Reporting problems