Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-06-24 01:50:40 +00:00
Code Issues Projects Releases Packages Wiki Activity
cpython/Misc/NEWS.d/next/Security
History
Miss Islington (bot) 5dadc64673
[3.15] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149792) 
gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648)

ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding at Aurascape AI for the report. (GHSA-w8c5-q2xf-gf7c)
(cherry picked from commit eac4fe3b2c)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
2026-05-15 10:50:45 +00:00
..
2026-05-03-21-00-00.gh-issue-149486.tarflt.rst [3.15] gh-149486: tarfile.data_filter: validate written link target (GH-149487) (GH-149553) 2026-05-11 11:57:32 +02:00
2026-05-08-02-18-54.gh-issue-149474.ujQ-mu.rst [3.15] gh-149474: use Py_fopen in Binary{Reader,Writer} for audit hook and path-like support (GH-149524) (#149586) 2026-05-09 00:28:21 +00:00
2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst [3.15] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149792) 2026-05-15 10:50:45 +00:00
2026-05-11-21-15-07.gh-issue-149698.OudOcW.rst [3.15] gh-149698: Update bundled expat to 2.8.1 (GH-149699) (#149812) 2026-05-14 09:52:51 +01:00
README.rst Link to blurb on PyPI in the NEWS.d READMEs. (#3323) 2017-09-05 10:38:05 -07:00

README.rst 

Put news entry `blurb`_ files for the *Security* section in this directory.

.. _blurb: https://pypi.org/project/blurb/