Bug 2292921 (CVE-2024-4032)

Summary: CVE-2024-4032 python: incorrect IPv4 and IPv6 private ranges
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agarcial, aoconnor, aprice, asegurap, bdettelb, caswilli, dfreiber, drow, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, kholdawa, kshier, mpierce, orabin, psegedy, sthirugn, vkrizan, vkumar, xiaoxwan, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: CPython 3.12.4, CPython 3.13.0a6 Doc Type: ---
Doc Text:
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2293396, 2293387, 2293389, 2293390, 2293391, 2293392, 2293393, 2293394, 2293395, 2293397    
Bug Blocks: 2292923    

Description Robb Gatica 2024-06-18 16:50:01 UTC
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

References:
https://github.com/python/cpython/issues/113171
https://github.com/python/cpython/pull/113179
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

Comment 1 Robb Gatica 2024-06-20 14:50:59 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2293389]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2293390]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2293391]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2293392]


Created python3.13 tracking bugs for this issue:

Affects: fedora-all [bug 2293393]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2293394]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2293395]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2293396]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2293397]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2293387]

Comment 6 errata-xmlrpc 2024-07-23 16:23:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4766 https://access.redhat.com/errata/RHSA-2024:4766

Comment 7 errata-xmlrpc 2024-07-23 16:24:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4779 https://access.redhat.com/errata/RHSA-2024:4779

Comment 8 errata-xmlrpc 2024-08-28 18:51:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5962 https://access.redhat.com/errata/RHSA-2024:5962

Comment 9 errata-xmlrpc 2024-08-29 11:48:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6030 https://access.redhat.com/errata/RHSA-2024:6030