Bug 35057 - python-pyasn1 new security issue CVE-2026-23490
Summary: python-pyasn1 new security issue CVE-2026-23490
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-01-23 15:15 CET by Nicolas Salguero
Modified: 2026-01-27 19:21 CET (History)
3 users (show)

See Also:
Source RPM: python-pyasn1-0.4.8-6.mga9
CVE: CVE-2026-23490
Status comment:
j.alberto.vc: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-23 15:15:05 CET 
Ubuntu has issued an advisory on January 22:
https://ubuntu.com/security/notices/USN-7975-1
Nicolas Salguero 2026-01-23 15:16:50 CET

CVE: (none) => CVE-2026-23490
Status comment: (none) => Patches available from Ubuntu
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
Source RPM: (none) => python-pyasn1-0.6.1-2.mga10.src.rpm, python-pyasn1-0.4.8-6.mga9

Comment 1 Nicolas Salguero 2026-01-23 15:58:02 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

pyasn1 has a DoS vulnerability in decoder. (CVE-2026-23490)

References:
https://ubuntu.com/security/notices/USN-7975-1
========================

Updated package in core/updates_testing:
========================
python3-pyasn1-0.4.8-6.1.mga9

from SRPM:
python-pyasn1-0.4.8-6.1.mga9.src.rpm

Source RPM: python-pyasn1-0.6.1-2.mga10.src.rpm, python-pyasn1-0.4.8-6.mga9 => python-pyasn1-0.4.8-6.mga9
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patches available from Ubuntu => (none)

Nicolas Salguero 2026-01-23 15:58:08 CET

Flags: affects_mga9+ => (none)

katnatek 2026-01-24 23:10:25 CET

Keywords: (none) => advisory

Comment 2 katnatek 2026-01-24 23:40:43 CET 
RH x86_64

installing python3-pyasn1-0.4.8-6.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/1: python3-pyasn1        ###################################################################################################
      1/1: removing python3-pyasn1-0.4.8-6.mga9.noarch
                                 ###################################################################################################

I install wapiti to test (I could live without see it again :P)

Repeat test from bug 34144 comment 11

wapiti -u http://testhtml5.vulnweb.com/ --flush-session

     __      __               .__  __  .__________
    /  \    /  \_____  ______ |__|/  |_|__\_____  \
    \   \/\/   /\__  \ \____ \|  \   __\  | _(__  <
     \        /  / __ \|  |_> >  ||  | |  |/       \
      \__/\  /  (____  /   __/|__||__| |__/______  /
           \/        \/|__|                      \/
Wapiti 3.1.4 (wapiti-scanner.github.io)
[*] Saving scan state, please wait...
[!] Unable to import module ssl
[!] Unable to find a module named ssl

[*] Launching module file

[*] Launching module sql

[*] Launching module ssrf

[*] Launching module http_headers
Checking X-Frame-Options :
X-Frame-Options is not set
Checking X-Content-Type-Options :
X-Content-Type-Options is not set

[*] Launching module cookieflags
Checking cookie : username
HttpOnly flag is not set in the cookie : username
Secure flag is not set in the cookie : username

[*] Launching module csp
CSP is not set

[*] Launching module exec

[*] Launching module redirect

[*] Launching module xss

[*] Launching module permanentxss

[*] Generating report...
A report has been generated in the file /home/katnatek/.wapiti/generated_report
Open /home/katnatek/.wapiti/generated_report/testhtml5.vulnweb.com_01242026_2238.html with a browser to see this report.

Looks good for me

Flags: (none) => test_passed_mga9_64+

katnatek 2026-01-26 00:11:21 CET

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 3 Herman Viaene 2026-01-26 17:41:01 CET 
tested with deluge under strace: refs found t0 python3-pyasn1. Works OK.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2026-01-27 14:03:16 CET 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2026-01-27 19:21:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0020.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.