CVE-2024-0397

2024-06-1716:15:10

Debian Security Bug Tracker

security-tracker.debian.org

python

ssl module

memory race condition

certificates

tls handshake

cpython

version fix

unix

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

6.8

Confidence

Low

JSON

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

OSVersionArchitecturePackageVersionFilename
Debian11allpython2.7<= 2.7.18-8+deb11u1python2.7_2.7.18-8+deb11u1_all.deb
Debian12allpython3.11< 3.11.2-6+deb12u3python3.11_3.11.2-6+deb12u3_all.deb
Debian999allpython3.12< 3.12.3-1python3.12_3.12.3-1_all.deb
Debian13allpython3.12< 3.12.3-1python3.12_3.12.3-1_all.deb
Debian999allpython3.13< 3.13.0~rc2-1python3.13_3.13.0~rc2-1_all.deb
Debian13allpython3.13< 3.13.0~rc2-1python3.13_3.13.0~rc2-1_all.deb
Debian11allpython3.9<= 3.9.2-1python3.9_3.9.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	python2.7	<= 2.7.18-8+deb11u1	python2.7_2.7.18-8+deb11u1_all.deb
Debian	12	all	python3.11	< 3.11.2-6+deb12u3	python3.11_3.11.2-6+deb12u3_all.deb
Debian	999	all	python3.12	< 3.12.3-1	python3.12_3.12.3-1_all.deb
Debian	13	all	python3.12	< 3.12.3-1	python3.12_3.12.3-1_all.deb
Debian	999	all	python3.13	< 3.13.0~rc2-1	python3.13_3.13.0~rc2-1_all.deb
Debian	13	all	python3.13	< 3.13.0~rc2-1	python3.13_3.13.0~rc2-1_all.deb
Debian	11	all	python3.9	<= 3.9.2-1	python3.9_3.9.2-1_all.deb