Bug 27567 - python-cryptography new security issue CVE-2020-25659
Summary: python-cryptography new security issue CVE-2020-25659
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-06 00:27 CET by David Walser
Modified: 2020-11-23 20:53 CET (History)
6 users (show)

See Also:
Source RPM: python-cryptography-2.6.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-11-06 00:27:35 CET
Ubuntu has issued an advisory on November 3:
https://ubuntu.com/security/notices/USN-4613-1

The issue is fixed upstream in 3.2.1.
Comment 1 Aurelien Oudelet 2020-11-07 10:11:23 CET
Hi, thanks for reporting this.
Assigned to the package maintainer/recent commiters.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => guillomovitch, jani.valimaa
Assignee: bugsquad => makowski.mageia
Keywords: (none) => Triaged

Comment 2 Philippe Makowski 2020-11-14 10:56:59 CET
Cauldron have 3.2.1 version and is not affected
Comment 3 Philippe Makowski 2020-11-14 13:37:40 CET
Cauldron have 3.2.1 version and is not affected

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2020-11-14 16:30:50 CET

Version: Cauldron => 7
Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Philippe Makowski 2020-11-16 11:26:23 CET
seems that we can apply this patch :
https://git.launchpad.net/ubuntu/+source/python-cryptography/patch/?id=27621b993df4a64e5a6eb50b5fd0078ca5903a4e
Comment 5 Philippe Makowski 2020-11-21 12:24:25 CET
Patch applied 
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7
from python-cryptography-2.6.1-2.mga7
are in core/updates_testing

Status: REOPENED => ASSIGNED
Assignee: makowski.mageia => qa-bugs

Comment 6 David Walser 2020-11-21 17:28:24 CET
Advisory:
========================

Updated python-cryptography packages fix security vulnerability:

Hubert Kario discovered that python-cryptography incorrectly handled certain
decryption. An attacker could possibly use this issue to expose sensitive
information (CVE-2020-25659).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25659
https://ubuntu.com/security/notices/USN-4613-1
========================

Updated packages in core/updates_testing:
========================
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7

from python-cryptography-2.6.1-2.mga7.src.rpm

CC: (none) => makowski.mageia

Comment 7 Herman Viaene 2020-11-23 10:18:20 CET
MGA7-64 MATE on Peaq C1011
No installation issues
Ref bug 23339 for tests
$ python -c 'import cryptography;print(cryptography.__version__)'
2.6.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
2.6.1
So OK for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 8 Aurelien Oudelet 2020-11-23 15:01:07 CET
Validating.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 9 Mageia Robot 2020-11-23 20:53:01 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.