[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 98820250a3c9c131d3c2d57c4fc5260aebd8aa1d by Miss Islington (bot) in branch '3.9': bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824) (GH-27827) https://github.com/python/cpython/commit/98820250a3c9c131d3c2d57c4fc5260aebd8aa1d

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

miss-islington added the comment: New changeset 1204dfc89cb3ed5e21dce32aed0339b7569fe1f9 by Miss Islington (bot) in branch '3.10': bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824) https://github.com/python/cpython/commit/1204dfc89cb3ed5e21dce32aed0339b7569fe1f9 --

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by miss-islington : -- pull_requests: +26291 pull_request: https://github.com/python/cpython/pull/27826 ___ Python tracker ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by miss-islington : -- pull_requests: +26292 pull_request: https://github.com/python/cpython/pull/27827 ___ Python tracker ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 0fd66e46b2f472d0d206a185dc8892f4f0347cb6 by Łukasz Langa in branch 'main': bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824) https://github.com/python/cpython/commit/0fd66e46b2f472d0d206a185dc8892f4f0347cb6 --

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 6ebfe8da6331bfcf54057f6e22a6f353a5621d35 by Łukasz Langa in branch '3.8': [3.8] bpo-36384: [doc] Correct typos in CVE-2021-29921 fix description (GH-27825) https://github.com/python/cpython/commit/6ebfe8da6331bfcf54057f6e22a6f353a5621d35

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by Łukasz Langa : -- pull_requests: +26290 pull_request: https://github.com/python/cpython/pull/27825 ___ Python tracker ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by Łukasz Langa : -- pull_requests: +26289 pull_request: https://github.com/python/cpython/pull/27824 ___ Python tracker ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by Łukasz Langa : -- versions: +Python 3.10, Python 3.9 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 03dd89d62413c4a92831ed1b36e2ae8983bcb2d4 by achraf-mer in branch '3.8': [3.8] bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) (GH-27801)

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Christian Heimes added the comment: The CVE was rated https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H=3.1, which is equivalent to a RCE with authentication bypass. I would rate the issue

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Christian Heimes added the comment: "CRITICAL" is a ridiculous high assessment for this bug. Somebody ticked all the scary boxes in the CVSS form like "total loss of control". -- ___ Python tracker

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: I was unaware of the "CRITICAL" base score assigned by NIST to this. Alright, let's port this back then. There are a few things the PR will need. -- ___ Python tracker

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Achraf Merzouki added the comment: >> it prevents using 3.8 because of this open vulnerability >What do you mean by this? >Our understanding is that this is a low-severity CVE because in order for this >to be a vulnerability, you'd have to have both: >1. user access to IP address input;

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: > it prevents using 3.8 because of this open vulnerability What do you mean by this? Our understanding is that this is a low-severity CVE because in order for this to be a vulnerability, you'd have to have both: 1. user access to IP address input; and 2.

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by Roundup Robot : -- nosy: +python-dev nosy_count: 17.0 -> 18.0 pull_requests: +26269 pull_request: https://github.com/python/cpython/pull/27801 ___ Python tracker ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Achraf Merzouki added the comment: Can we backport the security fix from this issue https://bugs.python.org/issue36384#msg392684 to version 3.8 The comment explicitly says that it was decided to not include in 3.8, I am not sure this is best, since it prevents using 3.8 because of this open

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

STINNER Victor added the comment: > I think the only thing I'd improve would be to mention that this issue is the > one that introduced the bug, otherwise it looks a bit weird. Ok, done: https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html#timeline --

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

George-Cristian Bîrzan added the comment: I think the only thing I'd improve would be to mention that this issue is the one that introduced the bug, otherwise it looks a bit weird. -- ___ Python tracker

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

STINNER Victor added the comment: George-Cristian Bîrzan: "The timeline there is wrong." Fixed: https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html#timeline The strange part is "2019-03-20 (-741 days): Python issue bpo-36384 reported by Joel Croteau". The problem

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

George-Cristian Bîrzan added the comment: The timeline there is wrong. This issue's creation time isn't the disclosure time, it's when the bug was introduced. The disclosure was on 30th of May, when I emailed secur...@python.org and Christian Heimes commented here and made

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

STINNER Victor added the comment: I created https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html to track this vulnerability. Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older are not affected. --

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Pablo Galindo Salgado added the comment: I'm closing this, if someone thinks something is missing, please, reopen -- nosy: +pablogsal resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Ned Deily added the comment: Is there anything more to be done for this issue or can it be closed? -- ___ Python tracker ___ ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Christian Heimes added the comment: Łukasz, thanks for pushing the PR over the finish line! -- ___ Python tracker ___ ___

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 5374fbc31446364bf5f12e5ab88c5493c35eaf04 by Miss Islington (bot) in branch '3.9': bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) (GH-25815)

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by miss-islington : -- nosy: +miss-islington nosy_count: 14.0 -> 15.0 pull_requests: +24501 pull_request: https://github.com/python/cpython/pull/25815 ___ Python tracker

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: New changeset 60ce8f0be6354ad565393ab449d8de5d713f35bc by Christian Heimes in branch 'master': bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Change by Łukasz Langa : -- versions: -Python 3.8 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Łukasz Langa added the comment: Due to the relative obscurity of the bug and potential disruption of the fix, I decided not to include it in 3.8. However, Michał's argument about 3.10 not being released for another five months is resonating with me and so we will be backporting the change to

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

Michał Górny added the comment: > If it takes years for users to get to 3.10, we should reevaluate our > release cycle, not whether we aggressively break maintenance releases. I don't really understand how that would help. The problem is that users have major inertia for switching to newer

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

STINNER Victor added the comment: The CVE-2021-29921 was assigned to this vulnerability. -- title: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal -> [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as