CVE-2021-29921 python ipaddress module vulnerability


I wanted to upgrade python Version from 3.7 to 3.9.0.
After installation noticed, CVE-2021-29921 vulnerability was reported in 3.8 version release. After researching about this vulnerability in Google, i understand this vulnerability is fixed in 3.8.12, 3.95 and 3.10.0 version.
My question is, has the fix applied to 3.9.0 version as well?
Can anyone please help clarifying this

If it was fixed in 3.9.5, it’s safe to say that it was NOT fixed in 3.9.0 - the way that Python version numbers go, there’s a “branch” described by the first two numbers (in this case “3.9”) which defines what features are available, and then progressive bug fixes (including security fixes) are indicated by the third digit.

Here’s the changelog for version 3.9.5 specifically: Changelog — Python 3.9.5 documentation This includes a mention of what’s clearly the issue at hand (with the designation bpo-36384). So everything from 3.9.0 to 3.9.4 does not include this change, but 3.9.5 and subsequent do.

There is one wrinkle, though. Some downstream distributors of Python “cherry-pick” changes. They may start with Python 3.9.2, and then over the next few years, update it by applying some of the changes. The general practice is that the version number specifies the oldest part of the Python distribution (so if it’s called “3.9.2”, you can be absolutely 100% confident that it includes every change from 3.9.0, 3.9.1, and 3.9.2), but that some subsequent changes MAY have been applied also. This is the case with Debian (and, in fact, version 3.9.2 is precisely what’s included with Debian Bullseye), so you might find that they’ve chosen to apply this change while still not updating the version number. So if this issue matters to you, test for it.

1 Like