urlscan.io logo urlscan.io
SecurityTrails logo

ubuntu.com Open in urlscan Pro
2001:67c:1360:8001::2c  Public Scan

Back to summary
URL: https://ubuntu.com/security/CVE-2021-3733
Submission: On March 15 via api from SE — Scanned from GB

Form analysis 1 forms found in the DOM

/search

<form action="/search" class="p-search-box" id="ubuntu-global-search-form">
  <input type="search" class="p-search-box__input" name="q" placeholder="Search our sites" required="" aria-label="Search our sites">
  <button type="reset" class="p-search-box__reset"><i class="p-icon--close"></i></button>
  <button type="submit" class="p-search-box__button"><i class="p-icon--search">Search</i></button>
</form>

Text Content

Skip to main content
Canonical logo
 * We are hiring
 * Products

PRODUCTS

 * Ubuntu
 * Snapcraft
 * LXD
 * MAAS
 * Charmed OpenStack
 * Charmed Kubernetes
 * Juju
 * Multipass
 * Ubuntu Advantage

ALSO FROM CANONICAL

 * Launchpad
 * Ubuntu Image Service
 * Cloud-init
 * Mir
 * Landscape
 * Netplan
 * DQlite
 * MicroK8s
 * MicroStack

RESOURCES

 * Webinars
 * Tutorials
 * Videos
 * Case studies
 * White papers
 * Docs
 * Training
 * Blog
 * Developer
 * Install
 * Download

ABOUT

 * Ubuntu
 * Canonical
 * Press centre
 * Partners
 * Contact

 * UBUNTU ›
   
   The new standard secure enterprise Linux for servers, desktops, clouds,
   developers and things.

 * SNAPCRAFT ›
   
   The app store with secure packages and ultra-reliable updates for multiple
   Linux distros.
   
    * Login ›
      

 * LXD ›
   
   A pure-container hypervisor. Replace legacy app VMs with containers for speed
   and density

 * MAAS ›
   
   Create a bare-metal cloud with Metal as a Service for IPAM and provisioning

 * CHARMED OPENSTACK ›
   
   Upgrades, maintenance, support, and fully managed options for long-term
   low-cost infra.

 * CHARMED KUBERNETES ›
   
   App portability for K8s on VMware, Amazon, Azure, Google, Oracle, IBM and
   bare metal.

 * JUJU ›
   
   Model-driven multi-cloud operations for applications. On-premise or on-cloud
   SAAS app store, with big data, k8s and openstack solutions

 * MULTIPASS ›
   
   On-demand build-and-test VMs for cloud devs on Windows, Mac and Linux
   desktops

 * UBUNTU ADVANTAGE ›
   
   Extended Security Maintenance, Kernel Livepatch, FIPS, enterprise support and
   certification.
   
    * Your subscriptions ›
    * Support login ›
      

ALSO FROM CANONICAL

LAUNCHPAD ›

The software collaboration platform behind Ubuntu.

 * Login ›
   

UBUNTU IMAGE SERVICE ›

Hardened, standardised or customised Ubuntu images on public clouds and private
infra.

CLOUD-INIT ›

Control and customize your cloud instances on boot and during their lifecycle.

MIR ›

Ultra-fast and lightweight Wayland compositor for secure desktop and device
displays.

LANDSCAPE ›

Updates, package management, repositories, security, and regulatory compliance
for Ubuntu.

NETPLAN ›

Network abstraction for Linux to simplify and standardise complex network
configuration.

DQLITE ›

Fast, embedded, persistent SQL database with Raft consensus.

MICROK8S ›

Small, fast, and fully-conformant Kubernetes for developers and IoT.

MICROSTACK ›

Single-node OpenStack for developers and IoT.

RESOURCES

 * Webinars
 * Tutorials
 * Videos
 * Case studies
 * White papers
 * Docs
 * Training
 * Blog
 * Developer
 * Install
 * Download

ABOUT

 * Ubuntu
 * Canonical
 * Press centre
 * Partners
 * Contact


Sign in
 * Enterprise
 * Developer
 * Community
 * Download

 * OpenStack
 * Kubernetes
 * Desktop
 * IoT
 * Support
 * Downloads

 * Search
 * Sign in

Search



Your submission was sent successfully! Close

SECURITY

 * Overview
 * Certifications
 * Notices
 * CVEs


CVE-2021-3733

Published: 2 September 2021

There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who
controls a malicious HTTP server that an HTTP client (such as web browser)
connects to, could trigger a Regular Expression Denial of Service (ReDOS) during
an authentication request with a specially crafted payload that is sent by the
server to the client. The greatest threat that this flaw poses is to application
availability.

Priority

MEDIUM


STATUS

Package Release Status python3.10
Launchpad, Ubuntu, Debian bionic Does not exist


focal Does not exist


hirsute

Released (3.10.0~b1-3~21.04)
impish Not vulnerable


trusty Does not exist


upstream Needs triage


xenial Ignored

(out of standard support)
python3.5
Launchpad, Ubuntu, Debian bionic Does not exist


focal Does not exist


hirsute Does not exist


impish Does not exist


trusty Needed


upstream Needs triage


xenial

Released (3.5.2-2ubuntu0~16.04.13+esm1)
python3.6
Launchpad, Ubuntu, Debian bionic

Released (3.6.9-1~18.04ubuntu1.6)
focal Does not exist


hirsute Does not exist


impish Does not exist


trusty Does not exist


upstream Needs triage


xenial Ignored

(out of standard support)
python3.7
Launchpad, Ubuntu, Debian bionic

Released (3.7.5-2ubuntu1~18.04.2)
focal Does not exist


hirsute Does not exist


impish Does not exist


trusty Does not exist


upstream Needs triage


xenial Ignored

(out of standard support)
python3.8
Launchpad, Ubuntu, Debian bionic

Released (3.8.0-3ubuntu1~18.04.2)
focal

Released (3.8.10-0ubuntu1~20.04)
hirsute Does not exist


impish Does not exist


trusty Does not exist


upstream Needs triage


xenial Ignored

(out of standard support)
python3.9
Launchpad, Ubuntu, Debian bionic Does not exist


focal

Released (3.9.5-3~20.04.1)
hirsute Not vulnerable


impish Not vulnerable


trusty Does not exist


upstream

Released (3.9.7-1)
xenial Ignored

(out of standard support)



NOTES

AuthorNote leosilva

code affected in hirsute and devel is already patched, so both releases
in python3.9 are not affected.


REFERENCES

 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3733
 * https://bugs.python.org/issue43075
 * https://github.com/python/cpython/pull/24391
 * https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb1defe1
   (master)
 * https://github.com/python/cpython/commit/a21d4fbd549ec9685068a113660553d7f80d9b09
   (3.9.5)
 * https://github.com/python/cpython/commit/e7654b6046090914a8323931ed759a94a5f85d60
   (3.8.10)
 * https://github.com/python/cpython/commit/ada14995870abddc277addf57dd690a2af04c2da
   (3.7.11)
 * https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f
   (3.6.14)
 * https://ubuntu.com/security/notices/USN-5083-1
 * https://ubuntu.com/security/notices/USN-5199-1
 * https://ubuntu.com/security/notices/USN-5200-1
 * NVD
 * Launchpad
 * Debian


BUGS


JOIN THE DISCUSSION

 * Ubuntu security updates mailing list
 * Security announcements mailing list


CANONICAL IS OFFERING EXTENDED SECURITY MAINTENANCE

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security
fixes and essential packages.

Find out more about ESM ›


FURTHER READING

 * Ubuntu Pro 20.04 FIPS is now available for AWS, Azure and GCP
 * Building and running FIPS containers on Ubuntu 18.04
 * Enabling Ubuntu FIPS 140 in air-gapped environments
 * CIS benchmark compliance: Introducing the Ubuntu Security Guide
 * Log4Shell: Log4j remote code execution vulnerability

Back to top


 * OPENSTACK
   
   * What is OpenStack
   * Features
   * Managed
   * Consulting
   * Compare
   * Cost calculator
   * Install
   * Docs
   * Tutorials
   * Support


 * CEPH
   
   * What is Ceph
   * Managed
   * Consulting
   * Docs
   * Install


 * MANAGED
   
   * OpenStack
   * Kubernetes
   * Ceph
   * Apps
   * Observability


 * KUBERNETES
   
   * What is Kubernetes
   * Features
   * Managed
   * Compare
   * Install
   * Docs


 * AI / ML
   
   * What is Kubeflow
   * Services


 * ROBOTICS
   
   * ROS ESM
   * What is ROS
   * Community


 * CLOUD
   
   * What is private cloud
   * What is hybrid cloud
   * What is multi-cloud
   * Public cloud


 * IOT
   
   * Digital signage
   * Gateways
   * App store
   * Embedded Linux
   * Automotive
   * EdgeX
   * Networking
   * Smart city
   * Management


 * RASPBERRY PI
   
   * Desktop
   * Server


 * CORE
   
   * Docs
   * Tutorials
   * Features
   * Success stories
   * Consulting


 * DESKTOP
   
   * Features
   * Organisations
   * Developers
   * Partners
   * Statistics


 * SERVER
   
   * Hyperscale
   * Docs


 * SECURITY
   
   * ESM
   * Livepatch
   * Certifications & Hardening
   * CVEs
   * Notices
   * OVAL
   * Docker Images


 * DOWNLOADS
   
   * Cloud
   * IoT
   * Raspberry Pi
   * Server
   * Desktop
   * Xilinx
   * Alternative downloads
   * Ubuntu flavours


 * OBSERVABILITY
   
   * What is observability
   * Managed


 * APPLIANCE
   
   * About
   * Portfolio
   * Community
   * Hardware
   * Virtual machines


 * SUPPORT
   
   * Your subscriptions
   * Account users
   * Community support


 * PRICING
   
   * Support
   * Consulting
   * Devices


 * SECTORS
   
   * Industrial
   * Government
   * Telco
   * Finance
 * * Containers
   * Tutorials
   * 16-04
   * Model-driven operations

--------------------------------------------------------------------------------

 * Contact us
 * Contact us
 * About us
 * Community
 * Careers
 * Blog
 * Resources
 * Press centre

© 2022 Canonical Ltd. Ubuntu and Canonical are registered trademarks of
Canonical Ltd.

 * Legal information
 * Data privacy
 * Manage your tracker settings
 * Report a bug on this site

 * 
 * 
 * 
 * 

Go to the top of the page


YOUR TRACKER SETTINGS

We use cookies and similar methods to recognise visitors and remember
preferences. We also use them to measure campaign effectiveness and analyse site
traffic.

By selecting ‘Accept‘, you consent to the use of these methods by us and trusted
third parties.

For further details or to change your consent choices at any time see our cookie
policy.

Accept all and visit site Manage your tracker settings