Mailman 3 June 2024 - Security-announce

[CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier
by Seth Larson June 27, 2024

June 27, 2024

There is a buffer over-read defect in CPython 3.9 and earlier due to not excluding an invalid value for OpenSSL's NPN APIs. This vulnerability is of severity *LOW*. CPython doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE -2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). Suggested mitigation is one of the following: * Upgrade to Python 3.10 or later where NPN isn't supported * Avoid using NPN via SSLContext.set_npn_protocols() * Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()

1 0

[CVE-2024-0397] Memory race condition in ssl.SSLContext certificate store methods
by Seth Larson June 17, 2024

June 17, 2024

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. Severity: Low References - https://github.com/python/cpython/issues/114572 - https://github.com/python/cpython/pull/114573

1 0

[CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges
by Seth Larson June 17, 2024

June 17, 2024

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. Severity: Medium References - https://github.com/python/cpython/issues/113171 - https://github.com/python/cpython/pull/113179 - https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-speci… - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-speci…

1 0