CVE-2024-5642

Name	CVE-2024-5642
Description	CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	vulnerable
python3.11 (PTS)	bookworm	3.11.2-6+deb12u2	fixed
	sid, trixie	3.11.9-1	fixed
python3.12 (PTS)	sid, trixie	3.12.4-1	fixed
python3.13 (PTS)	trixie	3.13.0~b2-1	fixed
	sid	3.13.0~b3-2	fixed
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
python2.7	source	(unstable)	(unfixed)
python3.11	source	(unstable)	(not affected)
python3.12	source	(unstable)	(not affected)
python3.13	source	(unstable)	(not affected)
python3.7	source	(unstable)	(unfixed)
python3.9	source	(unstable)	(unfixed)

Notes

- python3.13 <not-affected> (Fixed before initial upload)
- python3.12 <not-affected> (Fixed before initial upload)
- python3.11 <not-affected> (Fixed before initial upload)
[bullseye] - python3.9 <no-dsa> (Minor issue)
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
https://github.com/python/cpython/pull/23014
https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e (v3.10.0b1)