CVE-2024-0397
Published: 17 June 2024
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.7
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
python3.10
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Released
(3.10.12-1~22.04.5)
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Released
(3.10.14)
|
|
|
Patches:
upstream: https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e |
||
|
python3.11
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Needs triage
|
|
| mantic |
Ignored
(end of life, was needs-triage)
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches:
upstream: https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d |
||
|
python3.12
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Ignored
(end of life, was needs-triage)
|
|
| noble |
Not vulnerable
(3.12.3-1)
|
|
| upstream |
Released
(3.12.3)
|
|
|
Patches:
upstream: https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286 |
||
|
python3.4
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
|
python3.5
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
python3.6
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
python3.7
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
python3.8
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Released
(3.8.10-0ubuntu1~20.04.11)
|
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches:
upstream: https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524 |
||
|
python3.9
Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches:
upstream: https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa |
||
References
- https://www.cve.org/CVERecord?id=CVE-2024-0397
- https://github.com/python/cpython/pull/114573
- https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/
- https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab (3.13)
- http://www.openwall.com/lists/oss-security/2024/06/17/2
- https://ubuntu.com/security/notices/USN-6928-1
- NVD
- Launchpad
- Debian