Bug 31584

Summary: python-cryptography new security issue CVE-2023-23931
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-cryptography-3.3.1-1.1.mga8 CVE:
Status comment:

Description David Walser 2023-02-22 15:37:11 CET 
Debian-LTS has issued an advisory on February 21:
https://www.debian.org/lts/security/2023/dla-3331

The issue is fixed upstream in 39.0.1:
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

I'm wondering if the the python-crypto package is affected, as it has the same version as the Debian-LTS package that was patched in their advisory.

Mageia 8 is also affected.
David Walser 2023-02-22 15:37:23 CET

Status comment: (none) => Fixed upstream in 39.0.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-02-22 20:25:18 CET 
Assigning to Python stack maintainers.

Assignee: bugsquad => python

Comment 2 Jani Välimaa 2023-02-25 14:31:21 CET 
Pushed python-cryptography-3.3.1-1.2.mga8 to mga8 core/updates_testing with backported upstream patch to fix the issue.

SRPMS:
python-cryptography-3.3.1-1.2.mga8

RPMS:
python3-cryptography-3.3.1-1.2.mga8

CC: (none) => jani.valimaa

Comment 3 Jani Välimaa 2023-02-25 14:37:02 CET 
Pushed python-cryptography-39.0.1-1.mga9 to cauldron.

Source RPM: python-cryptography-39.0.0-1.mga9.src.rpm => python-cryptography-3.3.1-1.1.mga8
Version: Cauldron => 8
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

David Walser 2023-02-25 14:48:30 CET

Status comment: Fixed upstream in 39.0.1 => (none)

Comment 4 Thomas Andrews 2023-02-25 20:22:21 CET 
MGA8-64 Plasma VirtualBox guest. No installation issues.

Referenced Bug 28384 and others for test procedure:

$ python -c 'import cryptography;print(cryptography.__version__)'
3.3.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
3.3.1

Looks good here. OKing and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 21:09:35 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-02-27 21:29:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0071.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED