CVE-2026-8328

Published: May 22, 2026Last modified: May 28, 2026

Description

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	python3	Fixed (3.11.15-r2)
	25 LTS	python3	Fixed (3.12.13-r2)
	Stream	python3	Fixed (3.14.3-r2)
Hardened Containers	23 LTS	python3	Fixed (3.11.15-r2)
	25 LTS	python3	Fixed (3.12.13-r2)
	Stream	python3	Fixed (3.14.3-r2)

References

How to Fix Liberica NIK Not Starting on macOS Catalina and Later

If you use macOS Catalina and later you may encounter the issue that prevents Liberica NIK from starting. To fix it, run the following:

sudo xattr -r -d com.apple.quarantine path/to/graalvm/folder/

If you need more help, check out the FAQ at the bottom of this page or contact us.