I have noted the URL about a fix proposed but debated, ongoing, and may want a Github account to follow.
Assigning to Python team, CC'ing Jani & Yves who have done recent versions.

Status comment: (none) => Patch in progress
Assignee: bugsquad => python
URL: (none) => https://github.com/pyca/cryptography/pull/9926
CC: (none) => jani.valimaa, yvesbrungard

Ubuntu has issued an advisory on March 5:
https://ubuntu.com/security/notices/USN-6673-1

Summary: python-cryptography new security issue CVE-2023-49083 => python-cryptography new security issues CVE-2023-49083, CVE-2023-50782 and CVE-2024-26130
Whiteboard: MGA9TOO, MGA8TOO => MGA9TOO
Status comment: Patch in progress => Patches available from Ubuntu and upstream
CVE: CVE-2023-49083 => CVE-2023-49083, CVE-2023-50782, CVE-2024-26130

Sorry, mismatch in report, restoring data

Assignee: qa-bugs => python
Status comment: (none) => Patches available from Ubuntu and upstream

Ubuntu has issued an advisory on May 27 for CVE-2024-26130:
https://ubuntu.com/security/notices/USN-6673-3

In cauldron, we have 42.0.5 which includes fixes for CVE-2023-49083 and CVE-2024-26130
CVE-2023-50782 is fixed by rebuild against openssl > 3.2.0, now 3.3.2 in cauldron

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Cryptography vulnerable to NULL-dereference when loading PKCS7 certificates. (CVE-2023-49083)

Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659. (CVE-2023-50782)

Cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. (CVE-2024-26130)

References:
https://www.openwall.com/lists/oss-security/2023/11/29/2
https://ubuntu.com/security/notices/USN-6673-1
https://ubuntu.com/security/notices/USN-6673-3
========================

Updated packages in core/updates_testing:
========================
lib(64)openssl3-3.0.15-1.3.mga9
lib(64)openssl-devel-3.0.15-1.3.mga9
lib(64)openssl-static-devel-3.0.15-1.3.mga9
openssl-3.0.15-1.3.mga9
openssl-perl-3.0.15-1.3.mga
python3-cryptography-39.0.1-1.1.mga9

from SRPMS:
openssl-3.0.15-1.3.mga9.src.rpm
python-cryptography-39.0.1-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: python => qa-bugs
Status comment: Patches available from Ubuntu and upstream => (none)

openssl-perl-3.0.15-1.3.mga should be openssl-perl-3.0.15-1.3.mga9. 

Qarepo couldn't find it.

CC: (none) => andrewsfarm

RH x86_64

installing lib64openssl3-3.0.15-1.3.mga9.x86_64.rpm openssl-3.0.15-1.3.mga9.x86_64.rpm python3-cryptography-39.0.1-1.1.mga9.x86_64.rpm lib64openssl-devel-3.0.15-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: lib64openssl3         ##################################################################################################
      2/4: openssl               ##################################################################################################
      3/4: python3-cryptography  ##################################################################################################
      4/4: lib64openssl-devel    ##################################################################################################
      1/4: removing openssl-3.0.15-1.2.mga9.x86_64
                                 ##################################################################################################
      2/4: removing python3-cryptography-39.0.1-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing lib64openssl-devel-3.0.15-1.2.mga9.x86_64
                                 ##################################################################################################
      4/4: removing lib64openssl3-3.0.15-1.2.mga9.x86_64
                                 ##################################################################################################

Reference: bug#3942 comment#3 for openssl

openssl s_client -connect mageia.org:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = FR, O = Gandi SAS, CN = GandiCert
verify return:1
depth=0 CN = *.mageia.org
verify return:1
---
Certificate chain
 0 s:CN = *.mageia.org
   i:C = FR, O = Gandi SAS, CN = GandiCert
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 11 00:00:00 2025 GMT; NotAfter: Feb 10 23:59:59 2026 GMT
 1 s:C = FR, O = Gandi SAS, CN = GandiCert
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 17 00:00:00 2024 GMT; NotAfter: Apr 16 23:59:59 2034 GMT
..etc

A few different output but still consistent

openssl version -a
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
built on: Fri Feb 14 10:38:08 2025 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -fasynchronous-unwind-tables -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x29ae3ffffebffff:0x0


openssl ciphers -v
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2 Kx=ECDH     Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM         TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256)            Mac=AEAD
..etc

openssl speed rsa
Doing 512 bits private rsa's for 10s: 122944 512 bits private RSA's in 10.00s
Doing 512 bits public rsa's for 10s: 1917620 512 bits public RSA's in 10.00s
Doing 1024 bits private rsa's for 10s: 41543 1024 bits private RSA's in 10.01s
Doing 1024 bits public rsa's for 10s: 674070 1024 bits public RSA's in 9.99s
Doing 2048 bits private rsa's for 10s: 5730 2048 bits private RSA's in 10.00s
Doing 2048 bits public rsa's for 10s: 190961 2048 bits public RSA's in 10.00s
Doing 3072 bits private rsa's for 10s: 1771 3072 bits private RSA's in 10.00s
Doing 3072 bits public rsa's for 10s: 88133 3072 bits public RSA's in 10.00s

Reference: bug#31584 comment#4 for python3-cryptography

 python3 -c 'import cryptography;print(cryptography.__version__)'
39.0.1

Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0069.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED