NOTE: Initial impact from community is High, reads more like a Mod to me. No NVD score yet. Please assess. ---------- Collected: Fri 25 Aug 2023 01:51:30 -0400 #151953 URL: https://nvd.nist.gov/vuln/detail/CVE-2023-40217 Severity: High CVE(s): CVE-2023-40217 An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/ https://www.python.org/dev/security/
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5456 https://access.redhat.com/errata/RHSA-2023:5456
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5462 https://access.redhat.com/errata/RHSA-2023:5462
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5463 https://access.redhat.com/errata/RHSA-2023:5463
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5472 https://access.redhat.com/errata/RHSA-2023:5472
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:5528 https://access.redhat.com/errata/RHSA-2023:5528
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5531 https://access.redhat.com/errata/RHSA-2023:5531
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:5990 https://access.redhat.com/errata/RHSA-2023:5990
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:5991 https://access.redhat.com/errata/RHSA-2023:5991
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:5992 https://access.redhat.com/errata/RHSA-2023:5992
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5993 https://access.redhat.com/errata/RHSA-2023:5993
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:5995 https://access.redhat.com/errata/RHSA-2023:5995
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:5996 https://access.redhat.com/errata/RHSA-2023:5996
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5994 https://access.redhat.com/errata/RHSA-2023:5994
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5998 https://access.redhat.com/errata/RHSA-2023:5998
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5997 https://access.redhat.com/errata/RHSA-2023:5997
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:6069 https://access.redhat.com/errata/RHSA-2023:6069
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:6068 https://access.redhat.com/errata/RHSA-2023:6068
According the results of https://issues.redhat.com/browse/CONTOOLSQE-2898, change the status to VERIFIED
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2023:6290 https://access.redhat.com/errata/RHSA-2023:6290
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:6823 https://access.redhat.com/errata/RHSA-2023:6823
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:6885 https://access.redhat.com/errata/RHSA-2023:6885