CVE-2024-5642

2024-06-2721:15:16

Debian Security Bug Tracker

security-tracker.debian.org

cpython 3.9

sslcontext

buffer over-read

npn

openssl api

vulnerability

low severity

protocol name configured

unix

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

CPython 3.9 and earlier doesn’t disallow configuring an empty list (“[]”) for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

OSVersionArchitecturePackageVersionFilename
Debian11allpython2.7<= 2.7.18-8+deb11u1python2.7_2.7.18-8+deb11u1_all.deb
Debian12allpython3.11< 3.11.2-6+deb12u2python3.11_3.11.2-6+deb12u2_all.deb
Debian999allpython3.11< 3.11.9-1python3.11_3.11.9-1_all.deb
Debian13allpython3.11< 3.11.9-1python3.11_3.11.9-1_all.deb
Debian999allpython3.12< 3.12.4-1python3.12_3.12.4-1_all.deb
Debian13allpython3.12< 3.12.4-1python3.12_3.12.4-1_all.deb
Debian999allpython3.13< 3.13.0~b2-1python3.13_3.13.0~b2-1_all.deb
Debian13allpython3.13< 3.13.0~b2-1python3.13_3.13.0~b2-1_all.deb
Debian11allpython3.9<= 3.9.2-1python3.9_3.9.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	python2.7	<= 2.7.18-8+deb11u1	python2.7_2.7.18-8+deb11u1_all.deb
Debian	12	all	python3.11	< 3.11.2-6+deb12u2	python3.11_3.11.2-6+deb12u2_all.deb
Debian	999	all	python3.11	< 3.11.9-1	python3.11_3.11.9-1_all.deb
Debian	13	all	python3.11	< 3.11.9-1	python3.11_3.11.9-1_all.deb
Debian	999	all	python3.12	< 3.12.4-1	python3.12_3.12.4-1_all.deb
Debian	13	all	python3.12	< 3.12.4-1	python3.12_3.12.4-1_all.deb
Debian	999	all	python3.13	< 3.13.0~b2-1	python3.13_3.13.0~b2-1_all.deb
Debian	13	all	python3.13	< 3.13.0~b2-1	python3.13_3.13.0~b2-1_all.deb
Debian	11	all	python3.9	<= 3.9.2-1	python3.9_3.9.2-1_all.deb