Change History (7)
comment:1 by , 4 years ago
| Summary: | python3-3.9.3 → python3-3.9.4 |
|---|
comment:2 by , 4 years ago
| Priority: | normal → high |
|---|---|
| Summary: | python3-3.9.4 → python3-3.9.4 (CVE-2021-3426) |
comment:3 by , 4 years ago
| Summary: | python3-3.9.4 (CVE-2021-3426) → Python3-3.9.4 (CVE-2021-3426) |
|---|
comment:4 by , 4 years ago
Notable changes in Python 3.9.3
A security fix alters the :class:ftplib.FTP behavior to not trust the
IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a trust_server_pasv_ipv4_address
attribute on your FTP instance to True.
Python 3.9.4
Python 3.9.4 is a hotfix release addressing an unintentional ABI incompatibility introduced in Python 3.9.3. Upgrading is highly recommended to all users.
To reiterate, Python 3.9.3 was itself an expedited release due to its security content:
bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it's been upgraded to 1.1.1k in CI, and macOS and Windows installers. bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents().
comment:5 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed at commit af548cd4a..7b2439a5d,
Now version 3.9.4.