CVE-2021-3737

vstinner · Sep 15, 2021 · 6cbec81 · 6cbec81
1 parent e7604b1
commit 6cbec81
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/bugs.txt b/bugs.txt
@@ -333,6 +333,11 @@
     author: confd0
     date: 2021-02-21.11:49:34.565
     title: ftplib should not use the host from the PASV response
+44022:
+    author: guangli dong
+    date: 2021-05-03.17:13:03.819
+    title: 'CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue
+        response'
 44394:
     author: STINNER Victor
     date: 2021-06-11.14:14:07.073

diff --git a/commit_dates.txt b/commit_dates.txt
@@ -8,6 +8,7 @@
 06b15424b0dcacb1c551b2a36e739fffa8d0c595: Tue Jan 15 15:11:52 2019 -0800
 070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557: Tue Jul 2 20:39:42 2019 +0200
 0716056c49e9505041e30386dad9b2e788f67aaf: Fri Nov 22 14:09:10 2019 -0800
+078b146f062d212919d0ba25e34e658a8234aa63: Thu May 6 10:10:13 2021 -0700
 07bcf05fcf3fd1d4001e8e3489162e6d67638285: Tue Nov 8 21:17:46 2016 +0200
 0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143: Sat Mar 3 21:55:07 2018 -0800
 09d8172837b6985c4ad90ee025f6b5a554a9f0ac: Sat Jun 20 12:13:50 2020 +0530
@@ -108,6 +109,7 @@
 5ea3d0f95b51009fa1c3409e7dd1c12006427ccc: Mon Nov 1 15:18:09 2010 +0000
 5ff7132313eb651107b179d20218dfe5d4e47f13: Wed Jun 21 14:39:22 2017 +0200
 60a4a90c8dd2972eb4bb977e70835be9593cbbac: Thu Mar 24 08:07:45 2011 -0700
+60ba0b68470a584103e28958d91e93a6db37ec92: Wed May 5 16:14:28 2021 -0700
 60ce8f0be6354ad565393ab449d8de5d713f35bc: Sun May 2 14:00:35 2021 +0200
 614f17211c5fc0e5b828be1d3320661d1038fe8f: Sun Mar 29 20:38:41 2020 -0400
 636f93c63ba286249c1207e3a903f8429efb2041: Sat May 18 17:56:42 2013 +0200
@@ -271,6 +273,7 @@ e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa: Sat Sep 28 04:59:37 2019 +0900
 e9123efa21a16584758b5ce7da93d3966cf0cd81: Sat Jul 3 13:39:22 2010 +0000
 e912e945f2960029d039d3390ea08835ad39374b: Mon Oct 19 21:46:10 2020 -0700
 ea1ab803ddc14ab02ffed50ecc5089897f259623: Wed Jun 21 16:05:11 2017 +0200
+ea9327036680acc92d9f89eaf6f6a54d2f8d78d9: Wed May 5 16:05:52 2021 -0700
 ea9e240aa02372440be8024acb110371f69c9d41: Thu Apr 2 03:15:55 2020 -0700
 eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e: Tue Sep 30 14:45:39 2014 +0200
 ec1712a1662282c909b4cd4cc0c7486646bc9246: Sat Feb 18 14:42:57 2012 +0100
@@ -290,7 +293,9 @@ f2492bb6aae061aea47e21fc7e56b7ab9bfdf543: Sun Sep 24 17:58:32 2017 -0700
 f2bf8a6ac51530e14d798a03c8e950dd934d85cd: Fri Jan 27 09:48:47 2012 +0100
 f3232294ee695492f43d424cc6969d018d49861d: Wed Jul 15 05:30:33 2020 -0700
 f381cfe07d15d52f27de771a62a8167668f0dd51: Mon May 14 14:03:17 2018 -0400
+f396864ddfe914531b5856d7bf852808ebfc01ae: Thu May 6 01:52:26 2021 -0700
 f61599b050c621386a3fc6bc480359e2d3bb93de: Tue Jun 4 09:40:16 2019 -0700
+f68d2d69f1da56c2aea1293ecf93ab69a6010ad7: Thu May 6 10:05:37 2021 -0700
 f7666e828cc3d5873136473ea36ba2013d624fa1: Tue Sep 18 06:14:13 2018 -0700
 f91a0b6df14d6c5133fe3d5889fad7d84fc0c046: Fri Jun 12 17:33:19 2020 +0200
 fa53dbdec818b0f2a0e22ca12a49d83ec948fc91: Fri Mar 10 01:49:11 2017 +0100

diff --git a/commit_tags.txt b/commit_tags.txt
@@ -24,6 +24,8 @@
  3.7.4
 0716056c49e9505041e30386dad9b2e788f67aaf
  3.6.10
+078b146f062d212919d0ba25e34e658a8234aa63
+ 3.7.11
 07bcf05fcf3fd1d4001e8e3489162e6d67638285
  3.3.7
  3.4.6
@@ -659,6 +661,8 @@ e912e945f2960029d039d3390ea08835ad39374b
  3.6.13
 ea1ab803ddc14ab02ffed50ecc5089897f259623
  3.6.2
+ea9327036680acc92d9f89eaf6f6a54d2f8d78d9
+ 3.9.6
 ea9e240aa02372440be8024acb110371f69c9d41
  3.8.3
 eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e
@@ -715,8 +719,12 @@ f3232294ee695492f43d424cc6969d018d49861d
  3.9.0
 f381cfe07d15d52f27de771a62a8167668f0dd51
  3.5.6
+f396864ddfe914531b5856d7bf852808ebfc01ae
+ 3.8.11
 f61599b050c621386a3fc6bc480359e2d3bb93de
  2.7.17
+f68d2d69f1da56c2aea1293ecf93ab69a6010ad7
+ 3.6.14
 f7666e828cc3d5873136473ea36ba2013d624fa1
  3.6.7
 f91a0b6df14d6c5133fe3d5889fad7d84fc0c046

diff --git a/vulnerabilities.yaml b/vulnerabilities.yaml
@@ -1776,3 +1776,21 @@
     The regular expression used by the AbstractBasicAuthHandler class of the
     urllib module is inefficient and can be abused by an attacker with a
     maliciuous HTTP server to cause a denial of service.
+
+- name: "CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response"
+  slug: urllib-100-continue-loop
+  cve: CVE-2021-3737
+  bpo: 44022
+  links:
+    - https://access.redhat.com/security/cve/CVE-2021-3737
+    - https://bugzilla.redhat.com/show_bug.cgi?id=1995162
+  fixed-in:
+   - '3.10': 60ba0b68470a584103e28958d91e93a6db37ec92
+   - '3.9': ea9327036680acc92d9f89eaf6f6a54d2f8d78d9
+   - '3.8': f396864ddfe914531b5856d7bf852808ebfc01ae
+   - '3.6': f68d2d69f1da56c2aea1293ecf93ab69a6010ad7
+   - '3.7': 078b146f062d212919d0ba25e34e658a8234aa63
+  description: |
+    If a client request a HTTP/HTTPS/FTP service which is controlled by
+    attacker, attacker can make this client hang forever, even if the client
+    has set a *timeout* argument.