You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security scanners flag the Python version brought by aws-cli/2.17.8 (3.11.8) as vulnerable to CVE-2024-0397.
Expected Behavior
aws-cli should not bring vulnerable packages.
Current Behavior
Anchore reports:
A defect was discovered in the Python \u201cssl\u201d module where there is a memory\nrace condition with the ssl.SSLContext methods \u201ccert_store_stats()\u201d and\n\u201cget_ca_certs()\u201d. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. ( Evidence Locations: /usr/local/aws-cli/v2/2.17.8/dist/libpython3.11.so.1.0)
This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
Describe the bug
Security scanners flag the Python version brought by aws-cli/2.17.8 (3.11.8) as vulnerable to CVE-2024-0397.
Expected Behavior
aws-cli should not bring vulnerable packages.
Current Behavior
Anchore reports:
Reproduction Steps
Install latest aws-cli from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
Run security scan
Possible Solution
Upgrade Python to 3.11.9
Additional Information/Context
No response
CLI version used
aws-cli/2.17.8
Environment details (OS name and version, etc.)
aws-cli/2.17.8 Python/3.11.8 Linux/4.14.343-260.564.amzn2.x86_64 exe/x86_64.opensuse.15
The text was updated successfully, but these errors were encountered: