ELSA-2024-12079

Опубликовано: 18 янв. 2024

Источник: oracle-oval

Платформа: Oracle Linux 8

Платформа: Oracle Linux 9

Описание

ELSA-2024-12079: python-cryptography security update (IMPORTANT)

[36.0.1-4.0.1]

Fix CVE-2023-49083: NULL-dereference when loading PKCS7 certificates [Orabug: 36119159]

[36.0.1-4]

Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves rhbz#2203840

[36.0.1-3]

Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172399
Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

python3-cryptography

3.2.1-6.0.1.el8

Oracle Linux x86_64

python3-cryptography

3.2.1-6.0.1.el8

Oracle Linux 9

Oracle Linux aarch64

python3-cryptography

36.0.1-4.0.1.el9

Oracle Linux x86_64

python3-cryptography

36.0.1-4.0.1.el9

Связанные CVE

CVE-2023-49083

Ссылки на источники

Связанные уязвимости

CVE-2023-49083

CVSS3: 5.9

ubuntu

больше 1 года назад

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.