Change History (4)
comment:3 by , 6 months ago
Priority: | normal → high |
---|
While going through my email, I just encountered a mail from the Python security team about a CVE fixed here that doesn't seem to be in the release notes.
Here's the contents of that email:
-------- Forwarded Message -------- Subject: [Security-announce][CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges Date: Mon, 17 Jun 2024 09:01:18 -0500 From: Seth Larson <seth@python.org> Reply-To: security-sig@python.org To: security-announce@python.org The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. Severity: Medium References * https://github.com/python/cpython/issues/113171 * https://github.com/python/cpython/pull/113179 * https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml * https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
Note that CPython is what we use, it's the C/C++ implementation of the Python language. Users who use older versions of Python will need to backport the fix.
Note:
See TracTickets
for help on using tickets.