Bug 1226448 (CVE-2024-4032)

Summary: VUL-0: CVE-2024-4032: python,python3,python310,python311,python312,python36,python39: incorrect IPv4 and IPv6 private ranges
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Python maintainers (group account) <python-maintainers>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: camila.matos, mcepl, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411118/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4032:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-17 18:45:28 UTC 
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4032
https://www.cve.org/CVERecord?id=CVE-2024-4032
https://github.com/python/cpython/issues/113171
https://github.com/python/cpython/pull/113179
https://mail.python.org/archives/list/security-announce@python.org/thread/NRUHDUS2IV2USIZM2CVMSFL6SCKU3RZA/
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
https://seclists.org/oss-sec/2024/q2/292
https://github.com/python/cpython/commit/22adf29da8d99933ffed8647d3e0726edd16f7f8
https://github.com/python/cpython/commit/40d75c2b7f5c67e254d0a025e0f2e2c7ada7f69f
https://github.com/python/cpython/commit/895f7e2ac23eff4743143beef0f0c5ac71ea27d3
https://github.com/python/cpython/commit/ba431579efdcbaed7a96f2ac4ea0775879a332fb
https://github.com/python/cpython/commit/c62c9e518b784fe44432a3f4fc265fb95b651906
https://github.com/python/cpython/commit/f86b17ac511e68192ba71f27e752321a3252cee3
Comment 2 Matej Cepl 2024-06-25 22:06:35 UTC 
Fixed in 3.12.4, which we have already in Factory.
Comment 6 OBSbugzilla Bot 2024-06-26 23:45:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1226448) was mentioned in
https://build.opensuse.org/request/show/1183503 Factory / python310
https://build.opensuse.org/request/show/1183504 Factory / python39
https://build.opensuse.org/request/show/1183507 Factory / python38
https://build.opensuse.org/request/show/1183510 Factory / python311
Comment 11 Maintenance Automation 2024-07-01 16:30:03 UTC 
SUSE-SU-2024:2249-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34506](https://smelt.suse.de/incident/34506/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-core-3.6.15-150000.3.150.1, python3-3.6.15-150000.3.150.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-07-02 08:30:14 UTC 
SUSE-SU-2024:2254-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1226448
CVE References: CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34503](https://smelt.suse.de/incident/34503/)
Sources used:
openSUSE Leap 15.5 (src):
 python310-documentation-3.10.14-150400.4.51.1, python310-3.10.14-150400.4.51.1, python310-core-3.10.14-150400.4.51.1
openSUSE Leap 15.6 (src):
 python310-documentation-3.10.14-150400.4.51.1, python310-3.10.14-150400.4.51.1, python310-core-3.10.14-150400.4.51.1
openSUSE Leap 15.4 (src):
 python310-documentation-3.10.14-150400.4.51.1, python310-3.10.14-150400.4.51.1, python310-core-3.10.14-150400.4.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-07-02 16:30:15 UTC 
SUSE-SU-2024:2274-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34508](https://smelt.suse.de/incident/34508/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-58.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-07-02 20:30:06 UTC 
SUSE-SU-2024:2280-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34505](https://smelt.suse.de/incident/34505/)
Sources used:
openSUSE Leap 15.3 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
openSUSE Leap 15.5 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
openSUSE Leap 15.6 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
Legacy Module 15-SP5 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-07-12 12:30:11 UTC 
SUSE-SU-2024:2414-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1226448
CVE References: CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34504](https://smelt.suse.de/incident/34504/)
Sources used:
Public Cloud Module 15-SP4 (src):
 python311-3.11.9-150400.9.29.1, python311-core-3.11.9-150400.9.29.1
Python 3 Module 15-SP5 (src):
 python311-3.11.9-150400.9.29.1, python311-core-3.11.9-150400.9.29.1, python311-documentation-3.11.9-150400.9.29.1
openSUSE Leap 15.4 (src):
 python311-3.11.9-150400.9.29.1, python311-core-3.11.9-150400.9.29.1, python311-documentation-3.11.9-150400.9.29.1
openSUSE Leap 15.5 (src):
 python311-3.11.9-150400.9.29.1, python311-core-3.11.9-150400.9.29.1, python311-documentation-3.11.9-150400.9.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-07-15 16:36:31 UTC 
SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.