Bug 1202624 (CVE-2021-28861) - VUL-0: CVE-2021-28861: python310,python3,python39,python,python27,python36: Open redirection vulnerability in lib/http/server.py
Summary: VUL-0: CVE-2021-28861: python310,python3,python39,python,python27,python36: O...
Status: RESOLVED FIXED
Alias: CVE-2021-28861
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/340514/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28861:7.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-23 07:34 UTC by Cathy Hu
Modified: 2024-06-13 15:44 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2022-08-23 07:34:22 UTC 
CVE-2021-28861

Python 3.x through 3.10 has an open redirection vulnerability in
lib/http/server.py due to no protection against multiple (/) at the beginning of
URI path which may leads to information disclosure.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28861
https://github.com/python/cpython/pull/93879
https://github.com/python/cpython/pull/24848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861
https://bugs.python.org/issue43223
Comment 1 Cathy Hu 2022-08-23 07:34:59 UTC 
Affected (in Lib/BaseHTTPServer.py):
- SUSE:SLE-11-SP1:Update/python                             2.6.9
- SUSE:SLE-11-SP1:Update:Teradata/python27                  2.7.18
- SUSE:SLE-12-SP1:Update/python                             2.7.18
- SUSE:SLE-12-SP4:Update/python                             2.7.18
- SUSE:SLE-15:Update/python                                 2.7.18
- openSUSE:Factory/python                                   2.7.18

Affected (in Lib/http/server.py):
- SUSE:SLE-12:Update/python3                                3.4.10
- SUSE:SLE-12-SP5:Update/python36                           3.6.15
- SUSE:SLE-15-SP3:Update/python3                            3.6.15
- SUSE:SLE-15:Update/python3                                3.6.15
- SUSE:Carwos:1/python36                                    3.6.15
- SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36  3.6.15
- SUSE:SLE-15-SP3:Update/python39                           3.9.13
- openSUSE:Factory/python39                                 3.9.13
- SUSE:SLE-15-SP4:Update/python310                          3.10.5

Not affected (already contains fix):
- openSUSE:Factory/python310                                3.10.6
Comment 2 OBSbugzilla Bot 2022-09-01 04:40:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1202624) was mentioned in
https://build.opensuse.org/request/show/1000538 Factory / python310
Comment 6 OBSbugzilla Bot 2022-09-02 05:40:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1202624) was mentioned in
https://build.opensuse.org/request/show/1000771 Factory / python39
https://build.opensuse.org/request/show/1000772 Factory / python38
Comment 9 OBSbugzilla Bot 2022-09-07 05:20:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1202624) was mentioned in
https://build.opensuse.org/request/show/1001544 Factory / python
Comment 14 OBSbugzilla Bot 2022-09-11 11:05:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1202624) was mentioned in
https://build.opensuse.org/request/show/1002501 Factory / python38
Comment 19 Swamp Workflow Management 2022-09-30 13:20:33 UTC 
SUSE-SU-2022:3473-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1202624,1203125
CVE References: CVE-2020-10735,CVE-2021-28861
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python310-3.10.7-150400.4.10.1, python310-core-3.10.7-150400.4.10.1, python310-documentation-3.10.7-150400.4.10.1
SUSE Linux Enterprise Module for Python3 15-SP4 (src):    python310-3.10.7-150400.4.10.1, python310-core-3.10.7-150400.4.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-09-30 19:21:12 UTC 
SUSE-SU-2022:3483-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python36-core-3.6.15-27.1
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.15-27.1, python36-core-3.6.15-27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-10-01 13:20:44 UTC 
SUSE-SU-2022:3485-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1202624,1203125
CVE References: CVE-2020-10735,CVE-2021-28861
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python39-3.9.14-150300.4.16.1, python39-core-3.9.14-150300.4.16.1, python39-documentation-3.9.14-150300.4.16.1
openSUSE Leap 15.3 (src):    python39-3.9.14-150300.4.16.1, python39-core-3.9.14-150300.4.16.1, python39-documentation-3.9.14-150300.4.16.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python39-core-3.9.14-150300.4.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python39-3.9.14-150300.4.16.1, python39-core-3.9.14-150300.4.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-10-04 13:24:34 UTC 
SUSE-SU-2022:3512-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1, python-doc-2.7.18-150000.44.1
openSUSE Leap 15.3 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1, python-doc-2.7.18-150000.44.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    python-2.7.18-150000.44.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-10-04 13:32:05 UTC 
SUSE-SU-2022:3511-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-10-06 16:22:32 UTC 
SUSE-SU-2022:3544-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1
openSUSE Leap 15.4 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1, python3-documentation-3.6.15-150300.10.30.1
openSUSE Leap 15.3 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1, python3-documentation-3.6.15-150300.10.30.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    python3-core-3.6.15-150300.10.30.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python3-core-3.6.15-150300.10.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1
SUSE Linux Enterprise Micro 5.3 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1
SUSE Linux Enterprise Micro 5.2 (src):    python3-3.6.15-150300.10.30.1, python3-core-3.6.15-150300.10.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-10-10 16:22:44 UTC 
SUSE-SU-2022:3553-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-2.7.18-33.14.2, python-base-2.7.18-33.14.1, python-doc-2.7.18-33.14.2
SUSE OpenStack Cloud 9 (src):    python-2.7.18-33.14.2, python-base-2.7.18-33.14.1, python-doc-2.7.18-33.14.2
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-33.14.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python-2.7.18-33.14.2, python-base-2.7.18-33.14.1, python-doc-2.7.18-33.14.2
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-33.14.2, python-base-2.7.18-33.14.1, python-doc-2.7.18-33.14.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python-2.7.18-33.14.2, python-base-2.7.18-33.14.1, python-doc-2.7.18-33.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-10-14 16:20:08 UTC 
SUSE-SU-2022:3593-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Manager Retail Branch Server 4.1 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Manager Proxy 4.1 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server for SAP 15 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Server 15-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise Micro 5.1 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Enterprise Storage 7 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE Enterprise Storage 6 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1
SUSE CaaS Platform 4.0 (src):    python3-3.6.15-150000.3.109.1, python3-core-3.6.15-150000.3.109.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-10-17 16:24:30 UTC 
SUSE-SU-2022:3512-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Manager Retail Branch Server 4.1 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Manager Proxy 4.1 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server for SAP 15 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise Server 15-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Enterprise Storage 7 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE Enterprise Storage 6 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1
SUSE CaaS Platform 4.0 (src):    python-2.7.18-150000.44.1, python-base-2.7.18-150000.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-10-20 16:21:38 UTC 
SUSE-SU-2022:3511-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE OpenStack Cloud 9 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.10-25.96.1, python3-base-3.4.10-25.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2022-11-10 17:28:34 UTC 
SUSE-SU-2022:3940-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1202624
CVE References: CVE-2021-28861
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python-2.7.18-28.90.1, python-base-2.7.18-28.90.1, python-doc-2.7.18-28.90.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.18-28.90.1, python-base-2.7.18-28.90.1, python-doc-2.7.18-28.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Cathy Hu 2022-12-20 11:40:17 UTC 
done
Comment 45 OBSbugzilla Bot 2023-05-25 00:36:26 UTC 
This is an autogenerated message for OBS integration:
This bug (1202624) was mentioned in
https://build.opensuse.org/request/show/1088922 Factory / python