27567 – python-cryptography new security issue CVE-2020-25659

Bug 27567 - python-cryptography new security issue CVE-2020-25659

Summary: python-cryptography new security issue CVE-2020-25659

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-11-06 00:27 CET by David Walser
Modified:	2020-11-23 20:53 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	python-cryptography-2.6.1-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-11-06 00:27:35 CET

Ubuntu has issued an advisory on November 3:
https://ubuntu.com/security/notices/USN-4613-1

The issue is fixed upstream in 3.2.1.

Comment 1 Aurelien Oudelet 2020-11-07 10:11:23 CET

Hi, thanks for reporting this.
Assigned to the package maintainer/recent commiters.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => guillomovitch, jani.valimaa
Assignee: bugsquad => makowski.mageia
Keywords: (none) => Triaged

Comment 2 Philippe Makowski 2020-11-14 10:56:59 CET

Cauldron have 3.2.1 version and is not affected

Comment 3 Philippe Makowski 2020-11-14 13:37:40 CET

Cauldron have 3.2.1 version and is not affected

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2020-11-14 16:30:50 CET

Version: Cauldron => 7
Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Philippe Makowski 2020-11-16 11:26:23 CET

seems that we can apply this patch :
https://git.launchpad.net/ubuntu/+source/python-cryptography/patch/?id=27621b993df4a64e5a6eb50b5fd0078ca5903a4e

Comment 5 Philippe Makowski 2020-11-21 12:24:25 CET

Patch applied 
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7
from python-cryptography-2.6.1-2.mga7
are in core/updates_testing

Status: REOPENED => ASSIGNED
Assignee: makowski.mageia => qa-bugs

Comment 6 David Walser 2020-11-21 17:28:24 CET

Advisory:
========================

Updated python-cryptography packages fix security vulnerability:

Hubert Kario discovered that python-cryptography incorrectly handled certain
decryption. An attacker could possibly use this issue to expose sensitive
information (CVE-2020-25659).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25659
https://ubuntu.com/security/notices/USN-4613-1
========================

Updated packages in core/updates_testing:
========================
python2-cryptography-2.6.1-2.mga7
python3-cryptography-2.6.1-2.mga7

from python-cryptography-2.6.1-2.mga7.src.rpm

CC: (none) => makowski.mageia

Comment 7 Herman Viaene 2020-11-23 10:18:20 CET

MGA7-64 MATE on Peaq C1011
No installation issues
Ref bug 23339 for tests
$ python -c 'import cryptography;print(cryptography.__version__)'
2.6.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
2.6.1
So OK for me

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 8 Aurelien Oudelet 2020-11-23 15:01:07 CET

Validating.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 9 Mageia Robot 2020-11-23 20:53:01 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0438.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.