CVE-2021-4189: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. The flaw lies in how the FTP client trusts the host from PASV response by default. An attacker could use this flaw to setup a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This could lead to FTP client scanning ports which otherwise would not have been possible. . Instead of using the returned address, ftplib now uses the IP address we’re already connected to. For the rare user who wants an old behavior, set a
trust_server_pasv_ipv4_addressattribute on your
ftplib.FTPinstance to True.
CVE-2021-3177: Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input.
- CVE-2021-45958: stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.
Several packages are in a pipeline and fixes will be released soon.
- Though I invested some time to backport the fix for CVE-2020-8492, it decided not to apply it. Tests are failing and backporting python3->python2 was too destructive and too risky.
- Participated the Debian LTS Jitsi-meeting.
- mariadb-10.1 (some discussion on mailing list)
Advocated Markus Blatt to become a DM.