CVE-2024-4032
Publication date 17 June 2024
Last updated 1 August 2024
Ubuntu priority
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.
Why is this CVE low priority?
This is a low severity issue that only mis-classes certain ip addresses
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python2.7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| python3.10 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 3.10.12-1~22.04.5
|
|
| 20.04 LTS focal | Not in release | |
| python3.11 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Not in release | |
| python3.12 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Fixed 3.12.3-1ubuntu0.1
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| python3.4 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| python3.5 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| python3.6 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.8 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Fixed 3.8.10-0ubuntu1~20.04.11
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| python3.9 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
Patch details
| Package | Patch details |
|---|---|
| python3.10 |
|
| python3.11 |
|
| python3.12 |
|
| python3.8 |
|
| python3.9 |
|
References
Related Ubuntu Security Notices (USN)
- USN-6928-1
- Python vulnerabilities
- 30 July 2024
- USN-6941-1
- Python vulnerability
- 1 August 2024
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-4032
- https://github.com/python/cpython/pull/113179
- https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
- https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
- https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/
- https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f (3.13)
- http://www.openwall.com/lists/oss-security/2024/06/17/3
- https://github.com/advisories/GHSA-mh6q-v4mp-2cc7