Problem

CVE-2024-3651 (denial of service in idna.encode()) may be falsely detected in August 2024 or newer versions, where it has been fixed.

Resolution

While versions prior to Aug24 were legitimately vulnerable to this, some scanners still detect this CVE in August 2024 and newer versions, where it has been fixed via the patch from RedHat. This is because the fix was implemented in a way that makes looking at the version number alone cause false positives, as explained in the FAQ published by RedHat which says this:

Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?

In order to maintain code stability and compatibility, Red Hat usually does not rebase packages to entirely new versions. Instead, we backport fixes and new features to an older version of the package we distribute. This can result in some security scanners that only consider the package version to report the package as vulnerable. To avoid this, we suggest that you use an approved vulnerability scanner from our Red Hat Vulnerability Scanner Certification program.