Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0627
python2.7 security update
14 February 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python2.7
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2021-4189 CVE-2021-3177
Reference: ASB-2022.0034
ASB-2021.0140
ESB-2022.0554
ESB-2021.2902
Original Bulletin:
https://www.debian.org/lts/security/2022/dla-2919
Comment: CVSS (Max): 5.9 CVE-2021-3177 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2919-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
February 12, 2022 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python2.7
Version : 2.7.13-2+deb9u6
CVE ID : CVE-2021-3177 CVE-2021-4189
Two issues have been discovered in python2.7:
CVE-2021-3177
Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may
lead to remote code execution in certain Python applications that accept
floating-point numbers as untrusted input.
CVE-2021-4189
A flaw was found in Python, specifically in the FTP (File Transfer Protocol)
client library when using it in PASV (passive) mode. The flaw lies in how
the FTP client trusts the host from PASV response by default. An attacker
could use this flaw to setup a malicious FTP server that can trick FTP
clients into connecting back to a given IP address and port. This could lead
to FTP client scanning ports which otherwise would not have been possible.
.
Instead of using the returned address, ftplib now uses the IP address we're
already connected to. For the rare user who wants an old behavior, set a
`trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to
True.
For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u6.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIIAncACgkQ0+Fzg8+n
/wZuIw/+OiuwUuPTvw9K+5rw1h1Rme/llzRWopNoPh8wJ+mhz8VOJ9O0gkdRqphu
zpA8JjP+6Nip0cBLQsDlfs/3Oz8H3mZdh7f3SwIlaFqR/U0Y7/SvyL31NwVc84i6
zsQPeXU3Z6Ox8EEUg5B3UCiaaeaOoTQayXCoGPx72i+wOiLSIwK7Aq7H04PBmfSJ
hWL6p7O+B+KiwlGcgK9oX+cGa84SoZFrSsSY8ftY/ZDdtTlbGLZn6y1yPtsszsxf
sMS0PMN9iOCqeSBqelSldLVV8eSFmdE1nvR3NMfX8jNHp8Q8DKkRhlzR6w6O6FFL
8gGWrg7IZL1D6nblYwGoGWcZDftcDl26cayLVTg9NsHmTGTH5PYPz6/43VRK5qz6
66naV0S38f0CgcfHhuiBG3D+u1VOAe8DSlmgCmf52Iqu+1xbE+PM3WyOhDwSI11Z
EllRe4+s1tnojc7U3EOkpd/JbxFp7wWYtSCkpYmDfGXhFy1Er4oKGPAZURymFtBK
IEiTE42RqqfC77kwxoqz++W0VEx/JDKOMHT0zcxtip1G9aYtCMM6nt5fsrxwxZNY
CyL7QVEeVtn4qum2Z1BwDaUJZpdf0nDAgmoQWgXAt0LZ9zevVNG9wv0XgQacUnLG
AGCjRWwl77dgeYrJMlItYLFRoFReEnh+YuRbbvgIcZwBr1tSrOk=
=3cDu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYgnW3eNLKJtyKPYoAQjDzA//cK/ydBimB7iKzmr9FvS6VcSmc5rZpDkp
utorxEMp4DFyFkxyAKQab5DbiPqEFnSoiCY0ddzkI+SVuxOeglh0TjLlciTeELbE
5w+d+mvIfr65TGlT49OAdi1pesn5rVtb0otq2hkGeWQObxdBfuRMVj7/njK+rEOX
0KN1w1wyx3fQKrczqGNCHMC6hK7hNkN5qa3fmHjsSOjWt/MQ4gMhPQk4Ksmr+SFF
Wo/2T3vAv3LptgbYUFUaSU7mHkEpkr4HFn30rvg9dtCSecTIv3FcTP9hdjuQQjvV
pPywDswRKqg25hf18YXYNjz8j20pOD3LTusQAjICR8KCDSnWcOHlRCd5AZmybA5p
yR7QlVG1b81+iXSQ/7lXMiM2VY10SDGgdja09Fs3PyFHwnJMIgCQTCAaKUOfIq51
+8LJFH398yomT+Mzc2b7r8P9tXYz9fyNcuiOw757xvrI+y6B+8KmaYq8+po932C/
3YRAxroSsj9Ngl5NlASzsVfm06cl0EuTNpqLz55ukAjk8sdy2F9OvelCvTsKl8Q7
JiXWRfRwX1ZTbEd0YCaqAsaiyRCuuPfeRKnLbQc6Dr+nhcS54fnGOj6OFwiEaGD+
kPB5n/olZACKPlg82jFmKNsaQeUNLmM/ia49Ua01dLpN6Une68SU+em3JU1V4lAQ
nQCegR4JBNU=
=uzow
-----END PGP SIGNATURE-----