CVE-2021-3737

Name	CVE-2021-3737
Description	A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2808-1, DLA-3432-1, DLA-3477-1, ELA-510-1, ELA-853-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy (PTS)	jessie	2.4.0+dfsg-3	vulnerable
	stretch	5.6.0+dfsg-4	vulnerable
	buster	7.0.0+dfsg-3	vulnerable
	bullseye	7.3.3+dfsg-2	vulnerable
pypy3 (PTS)	buster	7.0.0+dfsg-3	vulnerable
	bullseye (security), bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bookworm	7.3.11+dfsg-2+deb12u2	fixed
	sid, trixie	7.3.17+dfsg-2	fixed
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	vulnerable
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	vulnerable
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u18	fixed
python3.5 (PTS)	stretch (security)	3.5.3-1+deb9u5	fixed
	stretch (lts), stretch	3.5.3-1+deb9u10	fixed
python3.7 (PTS)	buster, buster (lts)	3.7.3-2+deb10u8	fixed
	buster (security)	3.7.3-2+deb10u7	fixed
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
pypy	source	jessie	(unfixed)	end-of-life
pypy	source	buster	(unfixed)	end-of-life
pypy	source	(unstable)	(unfixed)
pypy3	source	(unstable)	7.3.8+dfsg-1
python2.7	source	jessie	2.7.9-2-ds1-1+deb8u10		ELA-853-1
python2.7	source	stretch	2.7.13-2+deb9u7		ELA-853-1
python2.7	source	buster	2.7.16-2+deb10u2		DLA-3432-1
python2.7	source	(unstable)	(unfixed)
python3.4	source	jessie	3.4.2-1+deb8u11		ELA-510-1
python3.4	source	(unstable)	(unfixed)
python3.5	source	stretch	3.5.3-1+deb9u5		DLA-2808-1
python3.5	source	(unstable)	(unfixed)
python3.7	source	buster	3.7.3-2+deb10u5		DLA-3477-1
python3.7	source	(unstable)	(unfixed)
python3.9	source	experimental	3.9.6-1
python3.9	source	(unstable)	3.9.7-1

Notes

[bullseye] - python3.9 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
https://bugs.python.org/issue44022
https://github.com/python/cpython/pull/25916
https://github.com/python/cpython/pull/26503
https://github.com/python/cpython/commit/60ba0b68470a584103e28958d91e93a6db37ec92 (v3.10.0b2)
https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9 (v3.9.6)
https://github.com/python/cpython/commit/f396864ddfe914531b5856d7bf852808ebfc01ae (v3.8.11)
https://github.com/python/cpython/commit/078b146f062d212919d0ba25e34e658a8234aa63 (v3.7.11)
https://github.com/python/cpython/commit/f68d2d69f1da56c2aea1293ecf93ab69a6010ad7 (v3.6.14)
Needs the "Improve the regression test" followup:
https://github.com/python/cpython/commit/98e5a7975d99b58d511f171816ecdfb13d5cca18 (v3.10.0b3)
https://github.com/python/cpython/commit/5df4abd6b033a5f1e48945c6988b45e35e76f647 (v3.9.6)
https://github.com/python/cpython/commit/0389426fa4af4dfc8b1d7f3f291932d928392d8b (3.8 branch)
https://github.com/python/cpython/commit/fee96422e6f0056561cf74fef2012cc066c9db86 (v3.7.11)
https://github.com/python/cpython/commit/1b6f4e5e13ebd1f957b47f7415b53d0869bdbac6 (v3.6.14