CVE-2021-23336

NameCVE-2021-23336
DescriptionThe package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2569-1, DLA-2619-1, DLA-2628-1, ELA-435-1
Debian Bugs983090

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypy3 (PTS)buster7.0.0+dfsg-3vulnerable
sid, bullseye7.3.5+dfsg-2fixed
python-django (PTS)jessie, jessie (lts)1.7.11-1+deb8u14fixed
stretch1:1.10.7-2+deb9u9vulnerable
stretch (security)1:1.10.7-2+deb9u14fixed
buster, buster (security)1:1.11.29-1~deb10u1vulnerable
sid, bullseye2:2.2.24-1fixed
python2.7 (PTS)jessie, jessie (lts)2.7.9-2-ds1-1+deb8u7fixed
stretch2.7.13-2+deb9u3vulnerable
stretch (security)2.7.13-2+deb9u5fixed
buster2.7.16-2+deb10u1vulnerable
sid, bullseye2.7.18-8vulnerable
python3.5 (PTS)stretch3.5.3-1+deb9u1vulnerable
stretch (security)3.5.3-1+deb9u4fixed
python3.7 (PTS)buster3.7.3-2+deb10u3vulnerable
python3.9 (PTS)sid, bullseye3.9.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypy3source(unstable)7.3.3+dfsg-3
python-djangosourcejessie(not affected)
python-djangosourcestretch1:1.10.7-2+deb9u11DLA-2569-1
python-djangosource(unstable)2:2.2.19-1983090
python2.7sourcejessie2.7.9-2-ds1-1+deb8u7ELA-435-1
python2.7sourcestretch2.7.13-2+deb9u5DLA-2628-1
python2.7source(unstable)(unfixed)
python3.5sourcestretch3.5.3-1+deb9u4DLA-2619-1
python3.5source(unstable)(unfixed)
python3.7source(unstable)(unfixed)
python3.8source(unstable)(unfixed)
python3.9source(unstable)3.9.2-1

Notes

[buster] - python-django <no-dsa> (Minor issue; can be fixed via point release)
[buster] - python3.7 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
[buster] - python2.7 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
https://github.com/python/cpython/pull/24297
https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e (3.7)
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
[jessie] - python-django <not-affected> (Vunerable code not present)

Search for package or bug name: Reporting problems