In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
CVE: (none) => CVE-2020-36242
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Fedora has issued an advisory for this on February 12th 2021: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/ Upstream changelog here: https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst
Assignee: bugsquad => makowski.mageiaWhiteboard: (none) => MGA7TOO MGA8TOOCC: (none) => ouaurelien
Summary: python-cryptography Security issue CVE-2020-36242 => python-cryptography new security issue CVE-2020-36242Status comment: (none) => Fixed upstream in 3.3.2Severity: normal => major
Fedora has issued an advisory for this on February 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
mageia 7 does not seems impacted: https://github.com/saltstack/salt/commit/db4981505269292ff98e64464e2a56f38333cba9 and the code to fix does not exist. src: - python-cryptography-3.3.1-1.1.mga8
Status comment: Fixed upstream in 3.3.2 => (none)CC: (none) => mageiaAssignee: makowski.mageia => qa-bugsVersion: Cauldron => 8Whiteboard: MGA7TOO MGA8TOO => (none)
RPM: python3-cryptography-3.3.1-1.1.mga8
No installation issues. Referenced BUG 27567 for tests (Thank you, Herman) $ python -c 'import cryptography;print(cryptography.__version__)' 3.3.1 $ python3 -c 'import cryptography;print(cryptography.__version__)' 3.3.1 Looks OK here. Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: type: security subject: Updated python-cryptography package fixes a security vulnerability CVE: - CVE-2020-36242 src: 8: core: - python3-cryptography-3.3.1-1.1.mga8 description: | In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow (CVE-2020-36242). references: - https://bugs.mageia.org/show_bug.cgi?id=28384 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0129.html
Status: NEW => RESOLVEDResolution: (none) => FIXED