Opened 3 weeks ago

Closed 10 days ago

#5934 closed enhancement (fixed)

Fix CVE-2026-7210 and CVE-2026-8328 in Python

Reported by: Douglas R. Reno Owned by: SecurityAdvisory
Priority: high Milestone: 13.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

While reviewing my email, I was greeted to another CPython security vulnerability, this time also valid for 3.14.5. 

-------- Forwarded Message --------
Subject:     [Security-announce][CVE-2026-7210] The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Date:     Mon, 11 May 2026 17:58:49 +0100
From:     Stan Ulbrych via Security-announce <security-announce@python.org>
Reply-To:     security-sig@python.org
To:     security-announce@python.org
CC:     Stan Ulbrych <stanulbrych@gmail.com>



There is a MEDIUM severity vulnerability affecting CPython.

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.

Fully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-7210
* https://github.com/python/cpython/pull/149023

an insufficient entropy problem that also requires users to update to Expat 2.8.0 or later.

Change History (7)

comment:2 by Joe Locash, 3 weeks ago

Summary: Fix CVE-2026-7210 in PythonFix CVE-2026-7210 and CVE-2021-4189 in Python 
Subject: [Security-announce][CVE-2026-8328] FTP PASV SSRF,
 ftpcp() does not use actual peer address,
 trusts server-supplied PASV host address
Date: Wed, 13 May 2026 20:15:52 +0000
From: Seth Larson <seth@python.org>
Reply-To: security-sig@python.org
To: security-announce@python.org

There is a MEDIUM severity vulnerability affecting CPython.

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189
was fixed. While makepasv() was patched to replace server-supplied PASV
host addresses with the actual peer address (getpeername()[0]), ftpcp()
still calls parse227() directly and passes the raw attacker-controllable IP
address and port to target.sendport().

Please see the linked CVE ID for the latest information on affected
versions:

* https://www.cve.org/CVERecord?id=CVE-2026-8328
* https://github.com/python/cpython/pull/149648

Upstream PR for the 3.14 branch: https://github.com/python/cpython/pull/149793 (merged)

comment:3 by Douglas R. Reno, 3 weeks ago

Patch added to the repository. I am going to do a test build of LFS with this, tcl-8.6.18, and Linux-7.0.7 in a couple hours, and if all goes well, I will update the books ahead of schedule.

comment:4 by Douglas R. Reno, 3 weeks ago

Summary: Fix CVE-2026-7210 and CVE-2021-4189 in PythonFix CVE-2026-7210 and CVE-2026-8328 in Python

comment:6 by Douglas R. Reno, 3 weeks ago

Owner: changed from lfs-book to SecurityAdvisory

Holding open for security advisory.

comment:7 by Douglas R. Reno, 10 days ago

Resolution: fixed
Status: newclosed

SA-13.0-070 issued

Note: See TracTickets for help on using tickets.