Bugzilla – Bug 1214692
VUL-0: CVE-2023-40217: python,python3,python39,python36,python310,python311: Bypass TLS handshake on closed sockets
Last modified: 2024-07-12 16:30:04 UTC
CVE-2023-40217 An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40217 https://www.cve.org/CVERecord?id=CVE-2023-40217 https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/ https://www.python.org/dev/security/
All codestreams affected: - SUSE:SLE-12-SP1:Update/python 2.7.18 - SUSE:SLE-12-SP1:Update/python-base 2.7.18 - SUSE:SLE-12-SP4:Update/python 2.7.18 - SUSE:SLE-12-SP4:Update/python-base 2.7.18 - SUSE:SLE-15:Update/python 2.7.18 - SUSE:SLE-15:Update/python-base 2.7.18 - openSUSE:Factory/python 2.7.18 - SUSE:SLE-12:Update/python3 3.4.10 - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36 3.6.15 - SUSE:SLE-12-SP5:Update/python36 3.6.15 - SUSE:SLE-15-SP3:Update/python39 3.9.17 - openSUSE:Factory/python39 3.9.17 - SUSE:ALP:Source:Standard:1.0/python310 3.10.10 - SUSE:SLE-15-SP4:Update/python310 3.10.12 - openSUSE:Factory/python310 3.10.12 - SUSE:ALP:Source:Standard:1.0/python311 3.11.2 - SUSE:SLE-15-SP4:Update/python311 3.11.4 - openSUSE:Factory/python311 3.11.4 Also affected, but unsupported: - SUSE:SLE-11-SP1:Update/python 2.6.9 - SUSE:SLE-11-SP1:Update/python-base 2.6.9
Fixed for openSUSE:Factory/python310 in factory in this request: https://build.opensuse.org/request/show/1108911
This is an autogenerated message for OBS integration: This bug (1214692) was mentioned in https://build.opensuse.org/request/show/1109196 Factory / python38 https://build.opensuse.org/request/show/1109203 Factory / python39
This is an autogenerated message for OBS integration: This bug (1214692) was mentioned in https://build.opensuse.org/request/show/1109225 Factory / python311
Isn’t this problem also for - SUSE:SLE-15:Update/python3 3.6.15 ???
And also - SUSE:SLE-15-SP3:Update/python3 3.6.15
yes, matej is right Also Affected: - SUSE:SLE-15:Update/python3 3.6.15 - SUSE:SLE-15-SP3:Update/python3 3.6.15
This is an autogenerated message for OBS integration: This bug (1214692) was mentioned in https://build.opensuse.org/request/show/1110909 Factory / python
There's a request created for each affected codestream with a fix for this issue.
SUSE-SU-2023:3708-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (important) Bug References: 1211765, 1213463, 1214692 CVE References: CVE-2023-40217 Sources used: openSUSE Leap 15.4 (src): python39-documentation-3.9.18-150300.4.33.1, python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 openSUSE Leap 15.5 (src): python39-documentation-3.9.18-150300.4.33.1, python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Manager Proxy 4.2 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Manager Retail Branch Server 4.2 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Manager Server 4.2 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 SUSE Enterprise Storage 7.1 (src): python39-3.9.18-150300.4.33.1, python39-core-3.9.18-150300.4.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3731-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python36-core-3.6.15-49.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python36-core-3.6.15-49.1, python36-3.6.15-49.1 SUSE Linux Enterprise Server 12 SP5 (src): python36-core-3.6.15-49.1, python36-3.6.15-49.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python36-core-3.6.15-49.1, python36-3.6.15-49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3730-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-2.7.18-33.23.1, python-doc-2.7.18-33.23.1, python-base-2.7.18-33.23.1 SUSE Linux Enterprise Server 12 SP5 (src): python-2.7.18-33.23.1, python-doc-2.7.18-33.23.1, python-base-2.7.18-33.23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-2.7.18-33.23.1, python-doc-2.7.18-33.23.1, python-base-2.7.18-33.23.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-base-2.7.18-33.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3804-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE CaaS Platform 4.0 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 SUSE Linux Enterprise Micro 5.1 (src): python3-3.6.15-150000.3.135.1, python3-core-3.6.15-150000.3.135.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3828-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: openSUSE Leap 15.4 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1, python3-documentation-3.6.15-150300.10.51.1 openSUSE Leap 15.5 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1, python3-documentation-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro 5.3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro 5.4 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 Basesystem Module 15-SP4 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 Basesystem Module 15-SP5 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 Development Tools Module 15-SP4 (src): python3-core-3.6.15-150300.10.51.1 Development Tools Module 15-SP5 (src): python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Manager Proxy 4.2 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Manager Retail Branch Server 4.2 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Manager Server 4.2 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Enterprise Storage 7.1 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro 5.2 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python3-3.6.15-150300.10.51.1, python3-core-3.6.15-150300.10.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3824-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1213463, 1214692 CVE References: CVE-2023-40217 Sources used: openSUSE Leap 15.4 (src): python310-core-3.10.13-150400.4.33.1, python310-3.10.13-150400.4.33.1, python310-documentation-3.10.13-150400.4.33.1 openSUSE Leap 15.5 (src): python310-core-3.10.13-150400.4.33.1, python310-3.10.13-150400.4.33.1, python310-documentation-3.10.13-150400.4.33.1 Python 3 Module 15-SP4 (src): python310-core-3.10.13-150400.4.33.1, python310-3.10.13-150400.4.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3933-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: openSUSE Leap 15.4 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1, python-doc-2.7.18-150000.54.1 openSUSE Leap 15.5 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1, python-doc-2.7.18-150000.54.1 SUSE Package Hub 15 15-SP4 (src): python-base-2.7.18-150000.54.1 SUSE Package Hub 15 15-SP5 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Manager Proxy 4.2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Manager Retail Branch Server 4.2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Manager Server 4.2 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE Enterprise Storage 7.1 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 SUSE CaaS Platform 4.0 (src): python-base-2.7.18-150000.54.1, python-2.7.18-150000.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3939-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1214692, 1214693 CVE References: CVE-2023-40217, CVE-2023-41105 Sources used: Web and Scripting Module 12 (src): python3-3.4.10-25.116.1, python3-base-3.4.10-25.116.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python3-3.4.10-25.116.1, python3-base-3.4.10-25.116.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python3-3.4.10-25.116.1, python3-base-3.4.10-25.116.1 SUSE Linux Enterprise Server 12 SP5 (src): python3-3.4.10-25.116.1, python3-base-3.4.10-25.116.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python3-3.4.10-25.116.1, python3-base-3.4.10-25.116.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3943-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1214692, 1214693 CVE References: CVE-2023-40217, CVE-2023-41105 Sources used: openSUSE Leap 15.4 (src): python311-documentation-3.11.5-150400.9.20.2, python311-3.11.5-150400.9.20.1, python311-core-3.11.5-150400.9.20.2 openSUSE Leap 15.5 (src): python311-documentation-3.11.5-150400.9.20.2, python311-3.11.5-150400.9.20.1, python311-core-3.11.5-150400.9.20.2 Python 3 Module 15-SP4 (src): python311-documentation-3.11.5-150400.9.20.2, python311-3.11.5-150400.9.20.1, python311-core-3.11.5-150400.9.20.2 Python 3 Module 15-SP5 (src): python311-documentation-3.11.5-150400.9.20.2, python311-3.11.5-150400.9.20.1, python311-core-3.11.5-150400.9.20.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3828-2: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1214692 CVE References: CVE-2023-40217 Sources used: SUSE Linux Enterprise Micro 5.5 (src): python3-core-3.6.15-150300.10.51.1, python3-3.6.15-150300.10.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0785-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1214692, 1219666 CVE References: CVE-2023-40217, CVE-2023-6597 Sources used: Web and Scripting Module 12 (src): python3-3.4.10-25.124.1, python3-base-3.4.10-25.124.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python3-3.4.10-25.124.1, python3-base-3.4.10-25.124.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python3-3.4.10-25.124.1, python3-base-3.4.10-25.124.1 SUSE Linux Enterprise Server 12 SP5 (src): python3-3.4.10-25.124.1, python3-base-3.4.10-25.124.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python3-3.4.10-25.124.1, python3-base-3.4.10-25.124.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0784-1: An update that solves four vulnerabilities, contains two features and has two security fixes can now be installed. Category: security (important) Bug References: 1196025, 1210638, 1212015, 1214692, 1215454, 1219666 CVE References: CVE-2022-25236, CVE-2023-27043, CVE-2023-40217, CVE-2023-6597 Jira References: PED-7886, SLE-21253 Sources used: openSUSE Leap 15.3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1, python39-documentation-3.9.18-150300.4.38.1 openSUSE Leap 15.5 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1, python39-documentation-3.9.18-150300.4.38.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1 SUSE Enterprise Storage 7.1 (src): python39-3.9.18-150300.4.38.1, python39-core-3.9.18-150300.4.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.