Bug 27567

Summary: python-cryptography new security issue CVE-2020-25659
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: guillomovitch, herman.viaene, jani.valimaa, makowski.mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-cryptography-2.6.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-11-06 00:27:35 CET 
Ubuntu has issued an advisory on November 3:
https://ubuntu.com/security/notices/USN-4613-1

The issue is fixed upstream in 3.2.1.
Comment 1 Aurelien Oudelet 2020-11-07 10:11:23 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer/recent commiters.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => guillomovitch, jani.valimaa
Assignee: bugsquad => makowski.mageia
Keywords: (none) => Triaged

Comment 2 Philippe Makowski 2020-11-14 10:56:59 CET 
Cauldron have 3.2.1 version and is not affected
Comment 3 Philippe Makowski 2020-11-14 13:37:40 CET 
Cauldron have 3.2.1 version and is not affected

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2020-11-14 16:30:50 CET

Version: Cauldron => 7
Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Philippe Makowski 2020-11-16 11:26:23 CET 
seems that we can apply this patch :
https://git.launchpad.net/ubuntu/+source/python-cryptography/patch/?id=27621b993df4a64e5a6eb50b5fd0078ca5903a4e
Comment 5 Philippe Makowski 2020-11-21 12:24:25 CET 
Patch applied 
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7
from python-cryptography-2.6.1-2.mga7
are in core/updates_testing

Status: REOPENED => ASSIGNED
Assignee: makowski.mageia => qa-bugs

Comment 6 David Walser 2020-11-21 17:28:24 CET 
Advisory:
========================

Updated python-cryptography packages fix security vulnerability:

Hubert Kario discovered that python-cryptography incorrectly handled certain
decryption. An attacker could possibly use this issue to expose sensitive
information (CVE-2020-25659).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25659
https://ubuntu.com/security/notices/USN-4613-1
========================

Updated packages in core/updates_testing:
========================
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7

from python-cryptography-2.6.1-2.mga7.src.rpm

CC: (none) => makowski.mageia

Comment 7 Herman Viaene 2020-11-23 10:18:20 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Ref bug 23339 for tests
$ python -c 'import cryptography;print(cryptography.__version__)'
2.6.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
2.6.1
So OK for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 8 Aurelien Oudelet 2020-11-23 15:01:07 CET 
Validating.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 9 Mageia Robot 2020-11-23 20:53:01 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED