CVE-2026-8328
Published: May 22, 2026Last modified: May 28, 2026
Description
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.15-r2) |
| 25 LTS | python3 | Fixed (3.12.13-r2) | |
| Stream | python3 | Fixed (3.14.3-r2) | |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.15-r2) |
| 25 LTS | python3 | Fixed (3.12.13-r2) | |
| Stream | python3 | Fixed (3.14.3-r2) |
References
- https://github.com/python/cpython/commit/5dadc64673ce875ebfb24163907777dae0f6ca06
- https://github.com/python/cpython/commit/7d95a1dc7382b55cba7fdd6a110336077584a4f0
- https://github.com/python/cpython/commit/bb3446dda6c49b32e67c11dbbbf221b40be00763
- https://github.com/python/cpython/commit/c88704431ea3248ca769384c13856330976fac1d
- https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
- https://github.com/python/cpython/issues/87451
- https://github.com/python/cpython/pull/149648
- https://mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/