Fwd: [Security-announce][CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges

[Alan Coopersmith <alan.coopersmith () oracle com>]

-------- Forwarded Message --------
Subject:        [Security-announce][CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges
Date:   Mon, 17 Jun 2024 09:01:18 -0500
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally 
reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, 
ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the 
latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Severity: Medium

References

  * https://github.com/python/cpython/issues/113171
  * https://github.com/python/cpython/pull/113179
  * https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
  * https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

Attachment: Attached Message Part
Description: