VulnerableCode Package Details - pkg:deb/debian/pypy3@7.3.11%2Bdfsg-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-gf6k-frsj-aaas Aliases: CVE-2023-40217	An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)	7.3.11+dfsg-2+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.3.11+dfsg-2+deb12u2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.3.11+dfsg-2+deb12u3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.3.13+dfsg-1 Affected by 0 other vulnerabilities. 7.3.14+dfsg-1 Affected by 0 other vulnerabilities. 7.3.15+dfsg-1 Affected by 0 other vulnerabilities. 7.3.16+dfsg-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gf6k-frsj-aaas
Aliases:
CVE-2023-40217

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

7.3.11+dfsg-2+deb12u1
Affected by 3 other vulnerabilities.

7.3.11+dfsg-2+deb12u2
Affected by 2 other vulnerabilities.

7.3.11+dfsg-2+deb12u3
Affected by 2 other vulnerabilities.

7.3.13+dfsg-1
Affected by 0 other vulnerabilities.

7.3.14+dfsg-1
Affected by 0 other vulnerabilities.

7.3.15+dfsg-1
Affected by 0 other vulnerabilities.

7.3.16+dfsg-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2024-01-12T13:55:11.000480+00:00	Debian Importer	Affected by	VCID-gf6k-frsj-aaas	https://security-tracker.debian.org/tracker/data/json	34.0.0rc2
2024-01-12T13:55:05.896508+00:00	Debian Importer	Affected by	VCID-gf6k-frsj-aaas	None	34.0.0rc2
2024-01-05T09:28:51.661007+00:00	Debian Importer	Affected by	VCID-gf6k-frsj-aaas	https://security-tracker.debian.org/tracker/data/json	34.0.0rc1
2024-01-05T09:28:46.721198+00:00	Debian Importer	Affected by	VCID-gf6k-frsj-aaas	None	34.0.0rc1