Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0627 python2.7 security update 14 February 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python2.7 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-4189 CVE-2021-3177 Reference: ASB-2022.0034 ASB-2021.0140 ESB-2022.0554 ESB-2021.2902 Original Bulletin: https://www.debian.org/lts/security/2022/dla-2919 Comment: CVSS (Max): 5.9 CVE-2021-3177 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2919-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky February 12, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python2.7 Version : 2.7.13-2+deb9u6 CVE ID : CVE-2021-3177 CVE-2021-4189 Two issues have been discovered in python2.7: CVE-2021-3177 Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. CVE-2021-4189 A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. The flaw lies in how the FTP client trusts the host from PASV response by default. An attacker could use this flaw to setup a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This could lead to FTP client scanning ports which otherwise would not have been possible. . Instead of using the returned address, ftplib now uses the IP address we're already connected to. For the rare user who wants an old behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u6. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIIAncACgkQ0+Fzg8+n /wZuIw/+OiuwUuPTvw9K+5rw1h1Rme/llzRWopNoPh8wJ+mhz8VOJ9O0gkdRqphu zpA8JjP+6Nip0cBLQsDlfs/3Oz8H3mZdh7f3SwIlaFqR/U0Y7/SvyL31NwVc84i6 zsQPeXU3Z6Ox8EEUg5B3UCiaaeaOoTQayXCoGPx72i+wOiLSIwK7Aq7H04PBmfSJ hWL6p7O+B+KiwlGcgK9oX+cGa84SoZFrSsSY8ftY/ZDdtTlbGLZn6y1yPtsszsxf sMS0PMN9iOCqeSBqelSldLVV8eSFmdE1nvR3NMfX8jNHp8Q8DKkRhlzR6w6O6FFL 8gGWrg7IZL1D6nblYwGoGWcZDftcDl26cayLVTg9NsHmTGTH5PYPz6/43VRK5qz6 66naV0S38f0CgcfHhuiBG3D+u1VOAe8DSlmgCmf52Iqu+1xbE+PM3WyOhDwSI11Z EllRe4+s1tnojc7U3EOkpd/JbxFp7wWYtSCkpYmDfGXhFy1Er4oKGPAZURymFtBK IEiTE42RqqfC77kwxoqz++W0VEx/JDKOMHT0zcxtip1G9aYtCMM6nt5fsrxwxZNY CyL7QVEeVtn4qum2Z1BwDaUJZpdf0nDAgmoQWgXAt0LZ9zevVNG9wv0XgQacUnLG AGCjRWwl77dgeYrJMlItYLFRoFReEnh+YuRbbvgIcZwBr1tSrOk= =3cDu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYgnW3eNLKJtyKPYoAQjDzA//cK/ydBimB7iKzmr9FvS6VcSmc5rZpDkp utorxEMp4DFyFkxyAKQab5DbiPqEFnSoiCY0ddzkI+SVuxOeglh0TjLlciTeELbE 5w+d+mvIfr65TGlT49OAdi1pesn5rVtb0otq2hkGeWQObxdBfuRMVj7/njK+rEOX 0KN1w1wyx3fQKrczqGNCHMC6hK7hNkN5qa3fmHjsSOjWt/MQ4gMhPQk4Ksmr+SFF Wo/2T3vAv3LptgbYUFUaSU7mHkEpkr4HFn30rvg9dtCSecTIv3FcTP9hdjuQQjvV pPywDswRKqg25hf18YXYNjz8j20pOD3LTusQAjICR8KCDSnWcOHlRCd5AZmybA5p yR7QlVG1b81+iXSQ/7lXMiM2VY10SDGgdja09Fs3PyFHwnJMIgCQTCAaKUOfIq51 +8LJFH398yomT+Mzc2b7r8P9tXYz9fyNcuiOw757xvrI+y6B+8KmaYq8+po932C/ 3YRAxroSsj9Ngl5NlASzsVfm06cl0EuTNpqLz55ukAjk8sdy2F9OvelCvTsKl8Q7 JiXWRfRwX1ZTbEd0YCaqAsaiyRCuuPfeRKnLbQc6Dr+nhcS54fnGOj6OFwiEaGD+ kPB5n/olZACKPlg82jFmKNsaQeUNLmM/ia49Ua01dLpN6Une68SU+em3JU1V4lAQ nQCegR4JBNU= =uzow -----END PGP SIGNATURE-----