2301891 – (CVE-2024-0397) CVE-2024-0397 cpython: python: Memory race condition in ssl.SSLContext certificate store methods

Bug 2301891 (CVE-2024-0397) - CVE-2024-0397 cpython: python: Memory race condition in ssl.SSLContext certificate store methods

Summary: CVE-2024-0397 cpython: python: Memory race condition in ssl.SSLContext certif...

Keywords:
Status:	NEW
Alias:	CVE-2024-0397
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2301895 2301896 2301897 2301898 2301899 2301900 2301901 2301902 2301903 2301904
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-31 05:30 UTC by Patrick Del Bello
Modified:	2024-10-14 06:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-07-31 05:30:40 UTC

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

Note You need to log in before you can comment on or make changes to this bug.