CVE-2024-0397
Publication date 17 June 2024
Last updated 31 July 2024
Ubuntu priority
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python2.7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| python3.10 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 3.10.12-1~22.04.5
|
|
| 20.04 LTS focal | Not in release | |
| python3.11 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Not in release | |
| python3.12 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| python3.4 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| python3.5 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| python3.6 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.8 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Fixed 3.8.10-0ubuntu1~20.04.11
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.9 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
Patch details
| Package | Patch details |
|---|---|
| python3.10 |
|
| python3.11 |
|
| python3.12 |
|
| python3.8 |
|
| python3.9 |
|
References
Related Ubuntu Security Notices (USN)
- USN-6928-1
- Python vulnerabilities
- 30 July 2024
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-0397
- https://github.com/python/cpython/pull/114573
- https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/
- https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab (3.13)
- http://www.openwall.com/lists/oss-security/2024/06/17/2