Bug 2171817 (CVE-2023-23931)
Summary: | CVE-2023-23931 python-cryptography: memory corruption via immutable objects | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | ybuenos |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, apevec, asoldano, bbaranow, bcoca, bdettelb, bmaxwell, brian.stansberry, cdewolf, chazlett, cheimes, cwelton, darran.lofthouse, davidn, dkreling, dosoudil, eglynn, epacific, fjuma, gtanzill, hhorak, ivassile, iweiss, jcammara, jhardy, jjoyce, jkoehler, jneedle, jobarker, jorton, kshier, lgao, lhh, mabashia, mburns, mgarciac, mminar, mosmerov, msochure, msvehla, nwallace, osapryki, pjindal, pmackay, python-maint, rbiba, rhos-maint, rstancel, simaishi, smaestri, smcdonal, spower, sskracic, stcannon, teagle, tfister, tom.jenkinson, torsava, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-cryptography 39.0.1, cryptography 39.0.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2171823, 2173566, 2173646, 2173647, 2171820, 2171821, 2171822, 2171826, 2171831, 2172399, 2172404, 2173564, 2173565, 2173568, 2173569, 2173643, 2173644, 2173645, 2173648, 2173649, 2173650, 2173651, 2173652, 2173653, 2173654, 2173655, 2173656, 2173657, 2173658, 2173659, 2173660, 2173661, 2173662, 2173663, 2173664, 2175090, 2175091, 2175092, 2175093, 2175094 | ||
Bug Blocks: | 2168033 |
Description
ybuenos
2023-02-20 14:01:54 UTC
Created python-cryptography tracking bugs for this issue: Affects: fedora-36 [bug 2171820] Created python-cryptography tracking bugs for this issue: Affects: fedora-37 [bug 2171826] Hi ybuenos, we're currently adding python3.11-cryptography to [RHEL 8.8] and [RHEL 9.2]. Could you please create a CVE bug for these components so we can fix them before we release the packages? [RHEL 8.8] https://issues.redhat.com/browse/RHELPLAN-143585 [RHEl 9.2] https://issues.redhat.com/browse/RHELPLAN-143619 Thank you! FYI, RHEL 8.8 builds are blocked until rhbz#2172416 is resolved. Created python-cryptography tracking bugs for this issue: Affects: openstack-rdo [bug 2173564] Created python-docker tracking bugs for this issue: Affects: openstack-rdo [bug 2173565] Created python3-cryptography tracking bugs for this issue: Affects: epel-7 [bug 2173566] Created ansible-lint tracking bugs for this issue: Affects: fedora-all [bug 2173649] Created centpkg tracking bugs for this issue: Affects: epel-all [bug 2173643] Affects: fedora-all [bug 2173650] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2173651] Created limnoria tracking bugs for this issue: Affects: fedora-all [bug 2173652] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2173653] Created pypy3.7 tracking bugs for this issue: Affects: fedora-all [bug 2173654] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2173655] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2173656] Created python-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2173657] Created python-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2173644] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2173645] Affects: fedora-all [bug 2173658] Created python-molecule tracking bugs for this issue: Affects: fedora-all [bug 2173659] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2173660] Created python-rpi-gpio2 tracking bugs for this issue: Affects: fedora-all [bug 2173661] Created python-stem tracking bugs for this issue: Affects: fedora-all [bug 2173662] Created python-types-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2173663] Created python-uvicorn tracking bugs for this issue: Affects: fedora-all [bug 2173664] Created python3-cryptography tracking bugs for this issue: Affects: epel-all [bug 2173646] Created python3-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2173647] Created python3-docker tracking bugs for this issue: Affects: epel-all [bug 2173648] This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2023:4971 https://access.redhat.com/errata/RHSA-2023:4971 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6615 https://access.redhat.com/errata/RHSA-2023:6615 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7096 https://access.redhat.com/errata/RHSA-2023:7096 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2985 https://access.redhat.com/errata/RHSA-2024:2985 |