Fedora 38: python-cryptography 2023-749dd47c79 | LinuxSecurity.com

What Are You Looking For?

Popular Tags

Contribute
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-749dd47c79
2023-03-11 03:04:11.186915
--------------------------------------------------------------------------------

Name        : python-cryptography
Product     : Fedora 38
Version     : 37.0.2
Release     : 8.fc38
URL         : https://cryptography.io/en/latest/
Summary     : PyCA's cryptography library
Description :
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2023-23931  cryptography is a package designed to expose
cryptographic primitives and recipes to Python developers. In affected versions
`Cipher.update_into` would accept Python objects which implement the buffer
protocol, but provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of Python and
resulting in corrupted output. This now correctly raises an exception. This
issue has been present since `update_into` was originally introduced in
cryptography 1.8.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 22 2023 Christian Heimes  - 37.0.2-8
- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
* Fri Jan 20 2023 Fedora Release Engineering  - 37.0.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec  9 2022 Christian Heimes  - 37.0.2-6
- Enable SHA1 signatures in test suite (ELN-only)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects
        https://bugzilla.redhat.com/show_bug.cgi?id=2171817
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-749dd47c79' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Fedora 38: python-cryptography 2023-749dd47c79

March 11, 2023
Security fix for CVE-2023-23931 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers

Summary

cryptography is a package designed to expose cryptographic primitives and

recipes to Python developers.

Update Information:

Security fix for CVE-2023-23931 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

Change Log

* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 * Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Fri Dec 9 2022 Christian Heimes - 37.0.2-6 - Enable SHA1 signatures in test suite (ELN-only)

References

[ 1 ] Bug #2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects https://bugzilla.redhat.com/show_bug.cgi?id=2171817

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-749dd47c79' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
Name : python-cryptography
Product : Fedora 38
Version : 37.0.2
Release : 8.fc38
URL : https://cryptography.io/en/latest/
Summary : PyCA's cryptography library

Related News

Kali Linux 2023.1 Introduces 'Purple' Distro for Defensive Security

Companies Can’t Stop Using Open Source

8 Reasons Why Kali Linux is the Ultimate Operating System for Hackers

Microsoft Opens Azure Confidential Containers to Public Preview

News

Advisories

HOWTOs

Features

Best Linux Backup Solutions to Prevent Data Loss in A Ransomware Attack
ManageEngine Vulnerability Manager Plus: How To Protect Your Enterprise from Security Vulnerabilities
High-Impact DoS, Arbitrary Code Execution, Spoofing Bugs Fixed in Thunderbird 102.9.0
A Guide to Business Cybersecurity: Common Digital Attacks and Precautions
New Linux IceFire Ransomware Variant Discovered: What You Need to Know to Secure Your Systems

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy