There is a MEDIUM severity vulnerability affecting CPython.

The “socket” module provides a pure-Python fallback to the
socket.socketpair() function for platforms that don’t support AF_UNIX, such
as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to
create a local connected pair of sockets. The connection between the two
sockets was not verified before passing the two sockets back to the user,
which leaves the server socket vulnerable to a connection race from a
malicious local peer.

Platforms that support AF_UNIX such as Linux and macOS are not affected by
this vulnerability. Versions prior to CPython 3.5 are not affected due to
the vulnerable API not being included.

Please see the linked CVE ID for the latest information on affected
versions:

* https://www.cve.org/CVERecord?id=CVE-2024-3219
* https://github.com/python/cpython/pull/122134
* https://github.com/python/cpython/issues/122133
_______________________________________________
Security-announce mailing list -- security-annou...@python.org
To unsubscribe send an email to security-announce-le...@python.org
https://mail.python.org/mailman3/lists/security-announce.python.org/
Member address: arch...@mail-archive.com

Reply via email to