Bug 1226447 (CVE-2024-0397) - VUL-0: CVE-2024-0397: python,python3,python310,python311,python312,python36,python39: memory race condition in ssl.SSLContext certificate store methods
Summary: VUL-0: CVE-2024-0397: python,python3,python310,python311,python312,python36,p...
Status: NEW
Alias: CVE-2024-0397
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Matej Cepl
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/411120/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-0397:4.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-17 18:01 UTC by SMASH SMASH
Modified: 2024-07-22 20:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-17 18:01:45 UTC
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0397
https://seclists.org/oss-sec/2024/q2/291
https://github.com/python/cpython/issues/114572
https://github.com/python/cpython/pull/114573
Comment 2 Daniel Garcia 2024-06-18 11:57:46 UTC
Related request for SUSE:SLFO:Main
https://build.suse.de/request/show/330659
Comment 3 Daniel Garcia 2024-06-18 11:58:50 UTC
Related request for ALP:
https://build.suse.de/package/requests/SUSE:ALP:Source:Standard:1.0/python311
Comment 4 Matej Cepl 2024-06-21 14:04:40 UTC
Already fixed in 3.10.14, 3.11.9 (both in Factory and SLE-15-SP4), 3.12.3.
Comment 5 OBSbugzilla Bot 2024-06-21 14:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1226447) was mentioned in
https://build.opensuse.org/request/show/1182484 Factory / python310
https://build.opensuse.org/request/show/1182485 Factory / python39
Comment 6 OBSbugzilla Bot 2024-06-21 15:17:12 UTC
This is an autogenerated message for OBS integration:
This bug (1226447) was mentioned in
https://build.opensuse.org/request/show/1182492 Factory / python38
Comment 10 OBSbugzilla Bot 2024-06-26 23:45:03 UTC
This is an autogenerated message for OBS integration:
This bug (1226447) was mentioned in
https://build.opensuse.org/request/show/1183510 Factory / python311
Comment 15 Maintenance Automation 2024-07-01 16:30:03 UTC
SUSE-SU-2024:2249-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34506](https://smelt.suse.de/incident/34506/)
Sources used:
SUSE Linux Enterprise Micro 5.1 (src):
 python3-core-3.6.15-150000.3.150.1, python3-3.6.15-150000.3.150.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-07-02 16:30:15 UTC
SUSE-SU-2024:2274-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34508](https://smelt.suse.de/incident/34508/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 python36-core-3.6.15-58.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python36-core-3.6.15-58.1, python36-3.6.15-58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-07-02 20:30:05 UTC
SUSE-SU-2024:2280-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1226447, 1226448
CVE References: CVE-2024-0397, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34505](https://smelt.suse.de/incident/34505/)
Sources used:
openSUSE Leap 15.3 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
openSUSE Leap 15.5 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
openSUSE Leap 15.6 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1, python39-documentation-3.9.19-150300.4.46.1
Legacy Module 15-SP5 (src):
 python39-core-3.9.19-150300.4.46.1, python39-3.9.19-150300.4.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2024-07-15 16:36:31 UTC
SUSE-SU-2024:2479-1: An update that solves four vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1219559, 1220664, 1221563, 1221854, 1222075, 1226447, 1226448
CVE References: CVE-2023-52425, CVE-2024-0397, CVE-2024-0450, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:33974](https://smelt.suse.de/incident/33974/)
Sources used:
openSUSE Leap 15.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
openSUSE Leap 15.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
openSUSE Leap 15.6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2, python3-documentation-3.6.15-150300.10.65.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Basesystem Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
Development Tools Module 15-SP5 (src):
 python3-core-3.6.15-150300.10.65.1
Development Tools Module 15-SP6 (src):
 python3-core-3.6.15-150300.10.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Proxy 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Retail Branch Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Manager Server 4.3 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Enterprise Storage 7.1 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python3-core-3.6.15-150300.10.65.1, python3-3.6.15-150300.10.65.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-07-22 20:30:42 UTC
SUSE-SU-2024:2572-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20242572-1
Category: security (moderate)
Bug References: 1225660, 1226447, 1226448, 1227152, 1227378
CVE References: CVE-2024-0397, CVE-2024-4030, CVE-2024-4032
Maintenance Incident: [SUSE:Maintenance:34718](https://smelt.suse.de/incident/34718/)
Sources used:
openSUSE Leap 15.6 (src):
 python312-core-3.12.4-150600.3.3.1, python312-documentation-3.12.4-150600.3.3.1, python312-3.12.4-150600.3.3.1
Python 3 Module 15-SP6 (src):
 python312-core-3.12.4-150600.3.3.1, python312-3.12.4-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.