Bug 2292921 (CVE-2024-4032) - CVE-2024-4032 python: incorrect IPv4 and IPv6 private ranges
Summary: CVE-2024-4032 python: incorrect IPv4 and IPv6 private ranges
Keywords:
Status: NEW
Alias: CVE-2024-4032
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2293396 2293387 2293389 2293390 2293391 2293392 2293393 2293394 2293395 2293397
Blocks: 2292923
TreeView+ depends on / blocked
 
Reported: 2024-06-18 16:50 UTC by Robb Gatica
Modified: 2024-09-05 09:35 UTC (History)
24 users (show)

Fixed In Version: CPython 3.12.4, CPython 3.13.0a6
Doc Type: ---
Doc Text:
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:6415 0 None None None 2024-09-05 09:35:35 UTC
Red Hat Product Errata RHSA-2024:4766 0 None None None 2024-07-23 16:23:29 UTC
Red Hat Product Errata RHSA-2024:4779 0 None None None 2024-07-23 16:24:19 UTC
Red Hat Product Errata RHSA-2024:5962 0 None None None 2024-08-28 18:52:00 UTC
Red Hat Product Errata RHSA-2024:6030 0 None None None 2024-08-29 11:48:15 UTC

Description Robb Gatica 2024-06-18 16:50:01 UTC
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

References:
https://github.com/python/cpython/issues/113171
https://github.com/python/cpython/pull/113179
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

Comment 1 Robb Gatica 2024-06-20 14:50:59 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2293389]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2293390]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2293391]


Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2293392]


Created python3.13 tracking bugs for this issue:

Affects: fedora-all [bug 2293393]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2293394]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2293395]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2293396]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2293397]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2293387]

Comment 6 errata-xmlrpc 2024-07-23 16:23:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4766 https://access.redhat.com/errata/RHSA-2024:4766

Comment 7 errata-xmlrpc 2024-07-23 16:24:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4779 https://access.redhat.com/errata/RHSA-2024:4779

Comment 8 errata-xmlrpc 2024-08-28 18:51:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5962 https://access.redhat.com/errata/RHSA-2024:5962

Comment 9 errata-xmlrpc 2024-08-29 11:48:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6030 https://access.redhat.com/errata/RHSA-2024:6030


Note You need to log in before you can comment on or make changes to this bug.