First Last Prev Next    This bug is not in your last search results.
Bug 1194146 - (CVE-2021-4189) VUL-0: CVE-2021-4189: python39,python,python36,python3,python27: ftplib should not use the host from the PASV response
(CVE-2021-4189)
VUL-0: CVE-2021-4189: python39,python,python36,python3,python27: ftplib shoul...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/319261/
CVSSv3.1:SUSE:CVE-2021-4189:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-29 16:12 UTC by Carlos López
Modified: 2022-12-09 07:35 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-29 16:12:36 UTC 
rh#2036020

The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private network.

References:
https://bugs.python.org/issue43285

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2036020
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4189
Comment 1 Carlos López 2021-12-29 16:13:19 UTC 
Affected:
 - SUSE:SLE-11-SP1:Update / python
 - SUSE:SLE-12-SP1:Update / python
 - SUSE:SLE-15:Update / python
 - SUSE:SLE-11-SP1:Update:Teradata / python27
 - SUSE:SLE-12:Update / python3

The fix was already introduced in newer SLE codestreams for python3, and for the python36 and python39 packages.

Also affected on openSUSE:
 - openSUSE:Factory / python
Comment 2 OBSbugzilla Bot 2022-02-06 22:31:19 UTC 
This is an autogenerated message for OBS integration:
This bug (1194146) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 4 OBSbugzilla Bot 2022-02-09 19:11:33 UTC 
This is an autogenerated message for OBS integration:
This bug (1194146) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 12 Swamp Workflow Management 2022-03-16 17:18:15 UTC 
SUSE-SU-2022:0882-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194146,1195396
CVE References: CVE-2021-4189,CVE-2022-0391
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.85.2, python3-base-3.4.10-25.85.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.85.2, python3-base-3.4.10-25.85.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.85.2, python3-base-3.4.10-25.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Gabriele Sonnu 2022-03-21 14:26:58 UTC 
Hi Matej, could you also submit SUSE:SLE-12-SP4:Update/python?
Comment 15 Swamp Workflow Management 2022-04-01 19:22:43 UTC 
openSUSE-SU-2022:1091-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1175619,1186819,1194146,1195396
CVE References: CVE-2021-3572,CVE-2021-4189,CVE-2022-0391
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-2.7.18-150000.38.1, python-base-2.7.18-150000.38.2, python-doc-2.7.18-150000.38.1
openSUSE Leap 15.3 (src):    python-2.7.18-150000.38.1, python-base-2.7.18-150000.38.2, python-doc-2.7.18-150000.38.1
Comment 16 Swamp Workflow Management 2022-04-01 19:25:32 UTC 
SUSE-SU-2022:1091-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1175619,1186819,1194146,1195396
CVE References: CVE-2021-3572,CVE-2021-4189,CVE-2022-0391
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    python-2.7.18-150000.38.1, python-base-2.7.18-150000.38.2
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-2.7.18-150000.38.1, python-base-2.7.18-150000.38.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    python-2.7.18-150000.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-2.7.18-150000.38.1, python-base-2.7.18-150000.38.2
SUSE Linux Enterprise Module Python3 15-SP4 (src):    python-base-2.7.18-150000.38.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Victor Zhestkov 2022-04-04 13:29:39 UTC 
The Salt Bundle is not affected as it contains Python 3.9.6 and will switch to 3.10.2 soon.
Comment 18 Swamp Workflow Management 2022-04-08 19:19:06 UTC 
SUSE-SU-2022:1140-1: An update that solves two vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1187784,1194146,1195396
CVE References: CVE-2021-4189,CVE-2022-0391
JIRA References: SLE-18105
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-2.7.18-33.8.1, python-base-2.7.18-33.8.1, python-doc-2.7.18-33.8.1
SUSE OpenStack Cloud 9 (src):    python-2.7.18-33.8.1, python-base-2.7.18-33.8.1, python-doc-2.7.18-33.8.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-33.8.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python-2.7.18-33.8.1, python-base-2.7.18-33.8.1, python-doc-2.7.18-33.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-33.8.1, python-base-2.7.18-33.8.1, python-doc-2.7.18-33.8.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python-2.7.18-33.8.1, python-base-2.7.18-33.8.1, python-doc-2.7.18-33.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Matej Cepl 2022-05-25 07:45:09 UTC 
(In reply to Gabriele Sonnu from comment #14)
> Hi Matej, could you also submit SUSE:SLE-12-SP4:Update/python?

I think it has been already fixed, at least I see CVE-2021-4189-ftplib-trust-PASV-resp.patch there.
Comment 20 Matej Cepl 2022-05-25 07:47:15 UTC 
All fixed and packages released.
Comment 22 Matej Cepl 2022-06-10 07:55:52 UTC 
Mistakenly closed, security bugs are just reassigned.
Comment 23 OBSbugzilla Bot 2022-06-10 08:41:32 UTC 
This is an autogenerated message for OBS integration:
This bug (1194146) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python
First Last Prev Next    This bug is not in your last search results.