Vulnerability CVE-2021-3733: Information
Description
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
python | sisyphus | 2.7.18-alt8 | 2.7.18-alt11 | ALT-PU-2021-3010-1 | 286676 | Fixed |
python | sisyphus_e2k | 2.7.18-alt8 | 2.7.18-alt11 | ALT-PU-2022-3615-1 | - | Fixed |
python | p10 | 2.7.18-alt10 | 2.7.18-alt10 | ALT-PU-2022-3044-1 | 309289 | Fixed |
python | p10_e2k | 2.7.18-alt10 | 2.7.18-alt10 | ALT-PU-2022-7062-1 | - | Fixed |
python | c10f1 | 2.7.18-alt10 | 2.7.18-alt10 | ALT-PU-2022-3044-1 | 309289 | Fixed |
python3 | sisyphus | 3.9.5-alt1 | 3.12.2-alt1 | ALT-PU-2021-1784-1 | 271461 | Fixed |
python3 | sisyphus_riscv64 | 3.10.2-alt1.1 | 3.12.2-alt1 | ALT-PU-2022-3966-1 | - | Fixed |
python3 | p10 | 3.9.5-alt1 | 3.9.18-alt1 | ALT-PU-2021-1784-1 | 271461 | Fixed |
python3 | p9 | 3.7.11-alt1 | 3.7.17-alt1 | ALT-PU-2021-2653-1 | 273501 | Fixed |
python3 | c10f1 | 3.9.5-alt1 | 3.9.18-alt0.c10f1.1 | ALT-PU-2021-1784-1 | 271461 | Fixed |
python3 | c9f2 | 3.7.17-alt1 | 3.7.17-alt1 | ALT-PU-2024-3474-2 | 342077 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb |
|
https://ubuntu.com/security/CVE-2021-3733 |
|
https://bugs.python.org/issue43075 |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1995234 |
|
https://github.com/python/cpython/pull/24391 |
|
https://security.netapp.com/advisory/ntap-20220407-0001/ |
|
[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update | |
[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update |