-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2919-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky February 12, 2022 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python2.7 Version : 2.7.13-2+deb9u6 CVE ID : CVE-2021-3177 CVE-2021-4189 Two issues have been discovered in python2.7: CVE-2021-3177 Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. CVE-2021-4189 A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. The flaw lies in how the FTP client trusts the host from PASV response by default. An attacker could use this flaw to setup a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This could lead to FTP client scanning ports which otherwise would not have been possible. . Instead of using the returned address, ftplib now uses the IP address we're already connected to. For the rare user who wants an old behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u6. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIIAncACgkQ0+Fzg8+n /wZuIw/+OiuwUuPTvw9K+5rw1h1Rme/llzRWopNoPh8wJ+mhz8VOJ9O0gkdRqphu zpA8JjP+6Nip0cBLQsDlfs/3Oz8H3mZdh7f3SwIlaFqR/U0Y7/SvyL31NwVc84i6 zsQPeXU3Z6Ox8EEUg5B3UCiaaeaOoTQayXCoGPx72i+wOiLSIwK7Aq7H04PBmfSJ hWL6p7O+B+KiwlGcgK9oX+cGa84SoZFrSsSY8ftY/ZDdtTlbGLZn6y1yPtsszsxf sMS0PMN9iOCqeSBqelSldLVV8eSFmdE1nvR3NMfX8jNHp8Q8DKkRhlzR6w6O6FFL 8gGWrg7IZL1D6nblYwGoGWcZDftcDl26cayLVTg9NsHmTGTH5PYPz6/43VRK5qz6 66naV0S38f0CgcfHhuiBG3D+u1VOAe8DSlmgCmf52Iqu+1xbE+PM3WyOhDwSI11Z EllRe4+s1tnojc7U3EOkpd/JbxFp7wWYtSCkpYmDfGXhFy1Er4oKGPAZURymFtBK IEiTE42RqqfC77kwxoqz++W0VEx/JDKOMHT0zcxtip1G9aYtCMM6nt5fsrxwxZNY CyL7QVEeVtn4qum2Z1BwDaUJZpdf0nDAgmoQWgXAt0LZ9zevVNG9wv0XgQacUnLG AGCjRWwl77dgeYrJMlItYLFRoFReEnh+YuRbbvgIcZwBr1tSrOk= =3cDu -----END PGP SIGNATURE-----