Bugzilla – Bug 1185768
VUL-0: CVE-2021-42771: python-Babel: relative path traversal leads to load arbitrary locale files on disk and execute arbitrary code
Last modified: 2024-05-13 12:46:15 UTC
CVE-2021-20095 Relative Path Traversal in Babel 2.9.0 allows an attacker to load arbitrary locale files on disk and execute arbitrary code. Reference: https://www.tenable.com/security/research/tra-2021-14 Upstream patch: https://github.com/python-babel/babel/pull/782 References: https://bugzilla.redhat.com/show_bug.cgi?id=1955615 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095 https://www.tenable.com/security/research/tra-2021-14
Affected packages: SUSE:SLE-12-SP1:Update/python-Babel 2.5.3 SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Babel 2.3.4 SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Babel 2.3.4 SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Babel 2.5.1 SUSE:SLE-15-SP2:Update/python-Babel 2.8.0 SUSE:SLE-15:Update/python-Babel 2.5.1 openSUSE:Factory/python-Babel 2.9.0 Upstream patch here [0]. [0] https://github.com/python-babel/babel/commit/412015ef642bfcc0d8ba8f4d05cdbb6aac98d9b3.patch
CVE-2021-20095 appers to have been rejected again "This candidate was withdrawn by its CNA" according to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095
CVE rejected by Tenable Network Security, Inc.
Beuc from the Debian LTS team requested a new CVE to Mitre [0]. This security bug is now tracked with CVE-2021-42771 [1]. @Matej: please backport the fix to the affected packages as stated in comment 1. [0] https://github.com/python-babel/babel/pull/782#issuecomment-948346895 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42771
This is an autogenerated message for OBS integration: This bug (1185768) was mentioned in https://build.opensuse.org/request/show/928218 Factory / python-Babel
(In reply to Gianluca Gabrielli from comment #1) > Affected packages: > > SUSE:SLE-12-SP1:Update/python-Babel 2.5.3 > SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Babel 2.3.4 > SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Babel 2.3.4 > SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Babel 2.5.1 > SUSE:SLE-15-SP2:Update/python-Babel 2.8.0 > SUSE:SLE-15:Update/python-Babel 2.5.1 > openSUSE:Factory/python-Babel 2.9.0 From the previous list (shared in May) you can now ignore: - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Babel - SUSE:SLE-15:Update/python-Babel - openSUSE:Factory/python-Babel Since you already submitted to: - SUSE:SLE-12-SP1:Update/python-Babel - SUSE:SLE-15-SP2:Update/python-Babel Only the following codestream are missing submissions: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Babel - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Babel that, correct me if I'm wrong, the cloud team should provide.
openSUSE-SU-2021:3945-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: openSUSE Leap 15.3 (src): python-Babel-2.8.0-3.3.1, python-Babel-doc-2.8.0-3.3.1
SUSE-SU-2021:3945-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: SUSE MicroOS 5.1 (src): python-Babel-2.8.0-3.3.1 SUSE MicroOS 5.0 (src): python-Babel-2.8.0-3.3.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): python-Babel-2.8.0-3.3.1 SUSE Linux Enterprise Module for Python2 15-SP2 (src): python-Babel-2.8.0-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-Babel-2.8.0-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python-Babel-2.8.0-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1553-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: openSUSE Leap 15.2 (src): python-Babel-2.8.0-lp152.2.3.1, python-Babel-doc-2.8.0-lp152.2.3.1
SUSE-SU-2021:4161-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 12 (src): python-Babel-2.5.3-4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0029-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-Babel-2.3.4-4.3.1 SUSE OpenStack Cloud 8 (src): python-Babel-2.3.4-4.3.1 HPE Helion Openstack 8 (src): python-Babel-2.3.4-4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0028-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Babel-2.5.1-3.3.1 SUSE OpenStack Cloud 9 (src): python-Babel-2.5.1-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3590-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1185768 CVE References: CVE-2021-42771 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise Server for SAP 15 (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise Server 15-LTSS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): python-Babel-2.5.1-150000.3.3.1 SUSE Enterprise Storage 6 (src): python-Babel-2.5.1-150000.3.3.1 SUSE CaaS Platform 4.0 (src): python-Babel-2.5.1-150000.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1185768) was mentioned in https://build.opensuse.org/request/show/1109065 Factory / python-Babel