These two py3 patches need non-trivial backporting to py2: bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer. bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Unable to check for sanity: > no match for package: dev-lang/python-2.7.18_p8
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
ppc64 done
ppc done
sparc stable
x86 stable
hppa stable
arm64 done
arm done
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834f7d0e6ec7cc60835539a4114edbc4bd0e8930 commit 834f7d0e6ec7cc60835539a4114edbc4bd0e8930 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-04-12 20:23:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-04-12 20:26:05 +0000 dev-lang/python: Remove old Bug: https://bugs.gentoo.org/779841 Bug: https://bugs.gentoo.org/779844 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 11 - dev-lang/python/python-2.7.18_p7.ebuild | 358 ------------------------- dev-lang/python/python-3.10.0_alpha6-r2.ebuild | 350 ------------------------ dev-lang/python/python-3.6.13.ebuild | 341 ----------------------- dev-lang/python/python-3.7.10.ebuild | 333 ----------------------- dev-lang/python/python-3.8.8.ebuild | 339 ----------------------- dev-lang/python/python-3.9.2.ebuild | 348 ------------------------ dev-lang/python/python-3.9.3.ebuild | 348 ------------------------ 8 files changed, 2428 deletions(-)
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202104-04 at https://security.gentoo.org/glsa/202104-04 by GLSA coordinator Thomas Deutschmann (whissi).