Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#4843 closed task (fixed)

Python3-3.9.4 (CVE-2021-3426)

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 11.0
Component: Book Version: SVN
Severity: normal Keywords:


New point version.

Change History (7)

comment:1 by Bruce Dubbs, 2 years ago

Summary: python3-3.9.3python3-3.9.4

Now version 3.9.4.

comment:2 by Xi Ruoyao, 2 years ago

Priority: normalhigh
Summary: python3-3.9.4python3-3.9.4 (CVE-2021-3426)

comment:3 by Bruce Dubbs, 2 years ago

Summary: python3-3.9.4 (CVE-2021-3426)Python3-3.9.4 (CVE-2021-3426)

comment:4 by Bruce Dubbs, 2 years ago

Notable changes in Python 3.9.3

A security fix alters the :class:ftplib.FTP behavior to not trust the IPv4 address sent from the remote server when setting up a passive data channel. We reuse the ftp server IP address instead. For unusual code requiring the old behavior, set a trust_server_pasv_ipv4_address attribute on your FTP instance to True.

Python 3.9.4

Python 3.9.4 is a hotfix release addressing an unintentional ABI incompatibility introduced in Python 3.9.3. Upgrading is highly recommended to all users.

To reiterate, Python 3.9.3 was itself an expedited release due to its security content:

bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it's been upgraded to 1.1.1k in CI, and macOS and Windows installers. bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.

bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.

bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents().

comment:5 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: newclosed

Fixed at commit af548cd4a..7b2439a5d,

comment:6 by ken@…, 2 years ago

Security Advisory 10.1-035 created.

comment:7 by Bruce Dubbs, 2 years ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.