PSF-2024-4

2024-06-1715:09:40

Google

osv.dev

python

ssl module

defect

memory race condition

sslcontext

cert_store_stats

get_ca_certs

tls handshake

cpython

software

fix

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

A defect was discovered in the Python “ssl” module where there is a memory
race condition with the ssl.SSLContext methods “cert_store_stats()” and
“get_ca_certs()”. The race condition can be triggered if the methods are
called at the same time as certificates are loaded into the SSLContext,
such as during the TLS handshake with a certificate directory configured.
This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

CPENameOperatorVersion
cpythoneq2.5.4
cpythoneq3.9.0a4
cpythoneq3.5.1rc1
cpythoneq3.5.2
cpythoneq3.8.7rc1
cpythoneq3.11.0a4
cpythoneq2.5.1
cpythoneq2.5.5c1
cpythoneq2.6.8rc2
cpythoneq2.4

Name	Operator	Version
cpython	eq	2.5.4
cpython	eq	3.9.0a4
cpython	eq	3.5.1rc1
cpython	eq	3.5.2
cpython	eq	3.8.7rc1
cpython	eq	3.11.0a4
cpython	eq	2.5.1
cpython	eq	2.5.5c1
cpython	eq	2.6.8rc2
cpython	eq	2.4