发布于3月6日3月6日 Members Amazon Linux AMI 2: CVE-2024-5642: Security patch for python, python3 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/27/2024 Created 02/05/2025 Added 02/05/2025 Modified 02/05/2025 Description CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). Solution(s) amazon-linux-ami-2-upgrade-python amazon-linux-ami-2-upgrade-python-debug amazon-linux-ami-2-upgrade-python-debuginfo amazon-linux-ami-2-upgrade-python-devel amazon-linux-ami-2-upgrade-python-libs amazon-linux-ami-2-upgrade-python-test amazon-linux-ami-2-upgrade-python-tools amazon-linux-ami-2-upgrade-python3 amazon-linux-ami-2-upgrade-python3-debug amazon-linux-ami-2-upgrade-python3-debuginfo amazon-linux-ami-2-upgrade-python3-devel amazon-linux-ami-2-upgrade-python3-libs amazon-linux-ami-2-upgrade-python3-test amazon-linux-ami-2-upgrade-python3-tkinter amazon-linux-ami-2-upgrade-python3-tools amazon-linux-ami-2-upgrade-tkinter References https://attackerkb.com/topics/cve-2024-5642 AL2/ALAS-2025-2743 AL2/ALAS-2025-2744 CVE - 2024-5642
