Bugzilla – Bug 1189287
VUL-0: CVE-2021-3733: python,python27,python3,python36,python39: ReDoS in urllib.request
Last modified: 2022-11-29 14:05:09 UTC
The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. References: https://bugs.python.org/issue43075 https://github.com/python/cpython/pull/24391
The following packages are affected: - SUSE:SLE-11-SP1:Update/python - SUSE:SLE-12-SP1:Update/python - SUSE:SLE-15:Update/python - SUSE:SLE-11-SP1:Update/python-base - SUSE:SLE-12-SP1:Update/python-base - SUSE:SLE-15:Update/python-base - SUSE:SLE-11-SP1:Update/python-doc - SUSE:SLE-12-SP1:Update/python-doc - openSUSE:Factory/python - openSUSE:Factory/python-base - openSUSE:Factory/python-doc - SUSE:SLE-11-SP1:Update:Teradata/python27 - SUSE:SLE-11-SP1:Update:Teradata/python27-base - SUSE:SLE-11-SP1:Update:Teradata/python27-doc - SUSE:Carwos:1/python3 - SUSE:SLE-12:Update/python3 - SUSE:SLE-15:Update/python3 - SUSE:SLE-12:Update/python3-base - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36 - SUSE:SLE-12-SP5:Update/python36 - SUSE:SLE-15-SP3:Update/python39
Upstream patch [0]. [0] https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1
A CVE has not been requested for this bug, hence I'm going to request one. To be noted that this is not a clone of CVE-2020-8492 [0]. [0] https://bugzilla.suse.com/show_bug.cgi?id=1162367
RedHat assigned CVE-2021-3733 to this bug.
(In reply to Gianluca Gabrielli from comment #4) > RedHat assigned CVE-2021-3733 to this bug. Nice. Do they assign https://bugzilla.suse.com/show_bug.cgi?id=1189241 ?
(In reply to Fusion Future from comment #5) > (In reply to Gianluca Gabrielli from comment #4) > > RedHat assigned CVE-2021-3733 to this bug. > > Nice. Do they assign https://bugzilla.suse.com/show_bug.cgi?id=1189241 ? Hi Matej, AFAICS you submitted a CVE ID request for that bug. Did you get any reply back? If not, I can try to file a new request to RedHat.
It's been two weeks but no response from mitre. So please help to file a new request. Thanks.
openSUSE:Factory/python Already fixed openSUSE:Factory/python310 Already fixed openSUSE:Factory/python36 Already fixed openSUSE:Factory/python38 Already fixed openSUSE:Factory/python39 Already fixed SUSE:SLE-11-SP1:Update/python ssr#249160 SUSE:SLE-11-SP1:Update:Teradata/python27 ssr#249166 SUSE:SLE-12-SP1:Update/python ssr#249163 SUSE:SLE-15:Update/python ssr#249164 SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36 ssr#249136 SUSE:SLE-12-SP5:Update/python36 ssr#249137 SUSE:SLE-15:Update/python3 ssr#249149 SUSE:SLE-15-SP3:Update/python3 ssr#249156 SUSE:SLE-12:Update/python3 ssr#249150 SUSE:SLE-15-SP3:Update/python39 Already fixed
(In reply to Gianluca Gabrielli from comment #6) > Hi Matej, AFAICS you submitted a CVE ID request for that bug. Did you get > any reply back? If not, I can try to file a new request to RedHat. I am absolutely not aware of doing any such thing, and I have never got any mail from MITRE.
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/919164 Factory / python36
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/919259 Factory / python39
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/923499 Factory / python36
SUSE-SU-2021:3477-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1187668,1189241,1189287 CVE References: CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2 SUSE Linux Enterprise Server 12-SP5 (src): python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3486-1: An update that solves three vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1180125,1183374,1183858,1185588,1189241,1189287 CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): python36-3.6.15-11.1, python36-core-3.6.15-11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1189241,1189287 CVE References: CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: openSUSE Leap 15.3 (src): python-2.7.18-33.1, python-base-2.7.18-33.1, python-doc-2.7.18-33.1
SUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1189241,1189287 CVE References: CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-2.7.18-33.1, python-base-2.7.18-33.1 SUSE Linux Enterprise Module for Python2 15-SP2 (src): python-2.7.18-33.1, python-base-2.7.18-33.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): python-2.7.18-33.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): python-2.7.18-33.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-2.7.18-33.1, python-base-2.7.18-33.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python-2.7.18-33.1, python-base-2.7.18-33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/926876 Factory / python36
SUSE-SU-2021:3524-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1189241,1189287 CVE References: CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): python-base-2.7.18-28.74.2 SUSE Linux Enterprise Server 12-SP5 (src): python-2.7.18-28.74.1, python-base-2.7.18-28.74.2, python-doc-2.7.18-28.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1418-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1189241,1189287 CVE References: CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: openSUSE Leap 15.2 (src): python-2.7.18-lp152.3.21.1, python-base-2.7.18-lp152.3.21.1, python-doc-2.7.18-lp152.3.21.1
SUSE-SU-2021:4015-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287 CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE MicroOS 5.1 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE MicroOS 5.0 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287 CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: openSUSE Leap 15.3 (src): python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1, python3-documentation-3.6.15-10.9.1
SUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287 CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): python3-core-3.6.15-10.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:4015-2: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287 CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Server for SAP 15 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Server 15-SP1-BCL (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise Server 15-LTSS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE Enterprise Storage 6 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 SUSE CaaS Platform 4.0 (src): python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/951983 Factory / python
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/953031 Factory / python
SUSE-SU-2022:1485-1: An update that solves three vulnerabilities, contains one feature and has two fixes is now available. Category: security (moderate) Bug References: 1186819,1189241,1189287,1189356,1193179 CVE References: CVE-2021-3572,CVE-2021-3733,CVE-2021-3737 JIRA References: SLE-23849 Sources used: openSUSE Leap 15.4 (src): python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1 openSUSE Leap 15.3 (src): python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): python39-core-3.9.10-150300.4.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1189287) was mentioned in https://build.opensuse.org/request/show/981989 Factory / python