CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.setnpnprotocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "libpython3.8": "3.8.2-1ubuntu1", "libpython3.8-minimal": "3.8.2-1ubuntu1", "python3.8-dbg": "3.8.2-1ubuntu1", "python3.8-doc": "3.8.2-1ubuntu1", "python3.8-minimal": "3.8.2-1ubuntu1", "libpython3.8-testsuite": "3.8.2-1ubuntu1", "idle-python3.8": "3.8.2-1ubuntu1", "libpython3.8-dbg": "3.8.2-1ubuntu1", "python3.8": "3.8.2-1ubuntu1", "python3.8-venv": "3.8.2-1ubuntu1", "libpython3.8-stdlib": "3.8.2-1ubuntu1", "python3.8-dev": "3.8.2-1ubuntu1", "python3.8-examples": "3.8.2-1ubuntu1", "libpython3.8-dev": "3.8.2-1ubuntu1" } ], "priority_reason": "Requires unlikely API usage to be vulnerable." }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "libpython3.10": "3.10.4-3", "python3.10": "3.10.4-3", "libpython3.10-stdlib": "3.10.4-3", "python3.10-examples": "3.10.4-3", "libpython3.10-dev": "3.10.4-3", "python3.10-dev": "3.10.4-3", "python3.10-doc": "3.10.4-3", "python3.10-nopie": "3.10.4-3", "libpython3.10-testsuite": "3.10.4-3", "python3.10-venv": "3.10.4-3", "libpython3.10-minimal": "3.10.4-3", "python3.10-full": "3.10.4-3", "python3.10-dbg": "3.10.4-3", "idle-python3.10": "3.10.4-3", "python3.10-minimal": "3.10.4-3", "libpython3.10-dbg": "3.10.4-3" } ], "priority_reason": "Requires unlikely API usage to be vulnerable." }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "python3.11-minimal": "3.11.0~rc1-1~22.04", "python3.11-examples": "3.11.0~rc1-1~22.04", "python3.11": "3.11.0~rc1-1~22.04", "idle-python3.11": "3.11.0~rc1-1~22.04", "libpython3.11-dev": "3.11.0~rc1-1~22.04", "python3.11-dbg": "3.11.0~rc1-1~22.04", "libpython3.11-dbg": "3.11.0~rc1-1~22.04", "libpython3.11": "3.11.0~rc1-1~22.04", "libpython3.11-testsuite": "3.11.0~rc1-1~22.04", "libpython3.11-minimal": "3.11.0~rc1-1~22.04", "python3.11-dev": "3.11.0~rc1-1~22.04", "python3.11-full": "3.11.0~rc1-1~22.04", "python3.11-venv": "3.11.0~rc1-1~22.04", "libpython3.11-stdlib": "3.11.0~rc1-1~22.04", "python3.11-doc": "3.11.0~rc1-1~22.04", "python3.11-nopie": "3.11.0~rc1-1~22.04" } ], "priority_reason": "Requires unlikely API usage to be vulnerable." }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "python3.12-dbg": "3.12.3-1", "libpython3.12t64": "3.12.3-1", "python3.12-doc": "3.12.3-1", "python3.12": "3.12.3-1", "python3.12-minimal": "3.12.3-1", "python3.12-nopie": "3.12.3-1", "libpython3.12t64-dbg": "3.12.3-1", "libpython3.12-testsuite": "3.12.3-1", "python3.12-examples": "3.12.3-1", "python3.12-dev": "3.12.3-1", "idle-python3.12": "3.12.3-1", "libpython3.12-stdlib": "3.12.3-1", "libpython3.12-minimal": "3.12.3-1", "python3.12-venv": "3.12.3-1", "libpython3.12-dev": "3.12.3-1", "python3.12-full": "3.12.3-1" } ], "priority_reason": "Requires unlikely API usage to be vulnerable." }