Bug 31584 - python-cryptography new security issue CVE-2023-23931
Summary: python-cryptography new security issue CVE-2023-23931
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-22 15:37 CET by David Walser
Modified: 2023-02-27 21:29 CET (History)
4 users (show)

See Also:
Source RPM: python-cryptography-3.3.1-1.1.mga8
CVE:
Status comment:


Attachments

Description David Walser 2023-02-22 15:37:11 CET
Debian-LTS has issued an advisory on February 21:
https://www.debian.org/lts/security/2023/dla-3331

The issue is fixed upstream in 39.0.1:
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

I'm wondering if the the python-crypto package is affected, as it has the same version as the Debian-LTS package that was patched in their advisory.

Mageia 8 is also affected.
David Walser 2023-02-22 15:37:23 CET

Status comment: (none) => Fixed upstream in 39.0.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-02-22 20:25:18 CET
Assigning to Python stack maintainers.

Assignee: bugsquad => python

Comment 2 Jani Välimaa 2023-02-25 14:31:21 CET
Pushed python-cryptography-3.3.1-1.2.mga8 to mga8 core/updates_testing with backported upstream patch to fix the issue.

SRPMS:
python-cryptography-3.3.1-1.2.mga8

RPMS:
python3-cryptography-3.3.1-1.2.mga8

CC: (none) => jani.valimaa

Comment 3 Jani Välimaa 2023-02-25 14:37:02 CET
Pushed python-cryptography-39.0.1-1.mga9 to cauldron.

Source RPM: python-cryptography-39.0.0-1.mga9.src.rpm => python-cryptography-3.3.1-1.1.mga8
Version: Cauldron => 8
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

David Walser 2023-02-25 14:48:30 CET

Status comment: Fixed upstream in 39.0.1 => (none)

Comment 4 Thomas Andrews 2023-02-25 20:22:21 CET
MGA8-64 Plasma VirtualBox guest. No installation issues.

Referenced Bug 28384 and others for test procedure:

$ python -c 'import cryptography;print(cryptography.__version__)'
3.3.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
3.3.1

Looks good here. OKing and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 21:09:35 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-02-27 21:29:22 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0071.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.