Description
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 debian 12 | | =7.3.11+dfsg-2 || =7.3.11+dfsg-2+deb12u1 || =7.3.11+dfsg-2+deb12u2 || =7.3.11+dfsg-2+deb12u3 || =7.3.12+dfsg-1 || =7.3.12~rc1+dfsg-1 || =7.3.12~rc2+dfsg-1 || =7.3.13+dfsg-1 || =7.3.14+dfsg-1 || =7.3.15+dfsg-1 || =7.3.16+dfsg-1 || =7.3.16+dfsg-2 || =7.3.17+dfsg-1 || =7.3.17+dfsg-2 || =7.3.17+dfsg-3 || =7.3.18+dfsg-1 || =7.3.18+dfsg-2 || =7.3.19+dfsg-1 || =7.3.19+dfsg-2 || =7.3.20+dfsg-1 || =7.3.20+dfsg-2 || =7.3.20+dfsg-3 || =7.3.20+dfsg-4 || =7.3.21+dfsg-1 || =7.3.21+dfsg-2 || =7.3.21+dfsg-3 || =7.3.21+dfsg-4 || =7.3.22+dfsg-1 |
debian 11 | | =2.7.18-10 || =2.7.18-11 || =2.7.18-12 || =2.7.18-13 || =2.7.18-13.1 || =2.7.18-13.1~exp1 || =2.7.18-13.2 || =2.7.18-8 || =2.7.18-8+deb11u1 || =2.7.18-9 |
debian 11 | | =3.9.10-1 || =3.9.10-2 || =3.9.11-1 || =3.9.12-1 || =3.9.13-1 || =3.9.2-1 || =3.9.2-1+deb11u1 || =3.9.2-1+deb11u2 || =3.9.2-1+deb11u3 || =3.9.2-1+deb11u4 || =3.9.2-1+deb11u5 || =3.9.2-1+deb11u6 || =3.9.2-1+deb11u7 || =3.9.3-1 || =3.9.3-2 || =3.9.4-1 || =3.9.5-1 || =3.9.5-2 || =3.9.5-3 || =3.9.6-1 || =3.9.7-1 || =3.9.7-2 || =3.9.7-4 || =3.9.8-1 || =3.9.8-2 || =3.9.9-1 || =3.9.9-2 || =3.9.9-3 || =3.9.9-4 |
debian 14 | | =3.14.0-1 || =3.14.0-2 || =3.14.0-3 || =3.14.0-4 || =3.14.0-5 || =3.14.0~a7-1 || =3.14.0~b1-1 || =3.14.0~b2-1 || =3.14.0~b3-1 || =3.14.0~b4-1 || =3.14.0~rc1-1 || =3.14.0~rc2-1 || =3.14.0~rc3-1 || =3.14.2-1 || =3.14.3-1 || =3.14.3-2 || =3.14.3-3 || =3.14.3-4 || =3.14.3-5 || =3.14.4-1 || =3.14.4-2 || =3.14.5-1 || =3.14.5~rc1-1 |
debian 13 | | =7.3.19+dfsg-2 || =7.3.20+dfsg-1 || =7.3.20+dfsg-2 || =7.3.20+dfsg-3 || =7.3.20+dfsg-4 || =7.3.21+dfsg-1 || =7.3.21+dfsg-2 || =7.3.21+dfsg-3 || =7.3.21+dfsg-4 || =7.3.22+dfsg-1 |
debian 12 | | =3.11.2-6 || =3.11.2-6+deb12u1 || =3.11.2-6+deb12u2 || =3.11.2-6+deb12u3 || =3.11.2-6+deb12u4 || =3.11.2-6+deb12u5 || =3.11.2-6+deb12u6 || =3.11.2-6+deb12u7 || =3.11.3-1 || =3.11.3-2 || =3.11.4-1 || =3.11.5-1 || =3.11.5-2 || =3.11.5-3 || =3.11.6-1 || =3.11.6-2 || =3.11.6-3 || =3.11.6-3~hurd.2 || =3.11.7-1 || =3.11.7-2 || =3.11.8-1 || =3.11.8-1.1~exp1 || =3.11.8-1.1~exp2 || =3.11.8-2 || =3.11.8-3 || =3.11.8-3+hurd.1 || =3.11.9-1 |
debian 14 | | =3.13.11-1 || =3.13.12-1 || =3.13.5-2 || =3.13.6-1 || =3.13.7-1 || =3.13.8-1 || =3.13.9-1 |
debian 11 | | =7.3.10+dfsg-1 || =7.3.10~rc3+dfsg-1 || =7.3.10~rc3+dfsg-2 || =7.3.11+dfsg-1 || =7.3.11+dfsg-2 || =7.3.12+dfsg-1 || =7.3.12~rc1+dfsg-1 || =7.3.12~rc2+dfsg-1 || =7.3.13+dfsg-1 || =7.3.14+dfsg-1 || =7.3.15+dfsg-1 || =7.3.16+dfsg-1 || =7.3.16+dfsg-2 || =7.3.17+dfsg-1 || =7.3.17+dfsg-2 || =7.3.17+dfsg-3 || =7.3.18+dfsg-1 || =7.3.18+dfsg-2 || =7.3.19+dfsg-1 || =7.3.19+dfsg-2 || =7.3.20+dfsg-1 || =7.3.20+dfsg-2 || =7.3.20+dfsg-3 || =7.3.20+dfsg-4 || =7.3.21+dfsg-1 || =7.3.21+dfsg-2 || =7.3.21+dfsg-3 || =7.3.21+dfsg-4 || =7.3.22+dfsg-1 || =7.3.5+dfsg-2 || =7.3.5+dfsg-2+deb11u1 || =7.3.5+dfsg-2+deb11u2 || =7.3.5+dfsg-2+deb11u3 || =7.3.5+dfsg-2+deb11u4 || =7.3.5+dfsg-2+deb11u5 || =7.3.6+dfsg-1 || =7.3.6~rc2+dfsg-1 || =7.3.6~rc2+dfsg-2 || =7.3.7+dfsg-1 || =7.3.7+dfsg-2 || =7.3.7+dfsg-3 || =7.3.7+dfsg-4 || =7.3.7+dfsg-5 || =7.3.8+dfsg-1 || =7.3.8+dfsg-2 || =7.3.8~rc1+dfsg-1 || =7.3.8~rc1+dfsg-2 || =7.3.9+dfsg-1 || =7.3.9+dfsg-2 || =7.3.9+dfsg-3 || =7.3.9+dfsg-4 || =7.3.9+dfsg-5 |
debian 14 | | =7.3.19+dfsg-2 || =7.3.20+dfsg-1 || =7.3.20+dfsg-2 || =7.3.20+dfsg-3 || =7.3.20+dfsg-4 || =7.3.21+dfsg-1 || =7.3.21+dfsg-2 || =7.3.21+dfsg-3 || =7.3.21+dfsg-4 || =7.3.22+dfsg-1 |
debian 13 | | =3.13.11-1 || =3.13.12-1 || =3.13.5-2 || =3.13.5-2+deb13u1 || =3.13.5-2+deb13u2 || =3.13.6-1 || =3.13.7-1 || =3.13.8-1 || =3.13.9-1 |
