Bug 2231271 (CVE-2023-38325)
| Summary: | CVE-2023-38325 python-cryptography: SSH certificate encoding/parsing incompatibility with OpenSSH | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, bbuckingham, bcourt, bdettelb, cheimes, cluster-maint, ehelms, epacific, gtanzill, hhorak, jcammara, jhardy, jneedle, jobarker, jorton, jsherril, kshier, lzap, mabashia, mhulan, mminar, nmoumoul, oalbrigt, orabin, pcreech, python-maint, rbiba, rchan, simaishi, smcdonal, sskracic, stcannon, teagle, tfister, ttomecek, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2231312, 2231313, 2181444, 2211237, 2231274, 2231276, 2231277, 2231278, 2231279, 2231280, 2231281, 2231282, 2231283, 2231284, 2231285, 2231286, 2231288, 2231289, 2231290, 2231291, 2231292, 2231293, 2231294, 2231295, 2231296, 2231297, 2231298, 2231299, 2231300, 2231301, 2231302, 2231303, 2231304, 2231305, 2231306, 2231307, 2231308, 2231309, 2231310, 2231311, 2231314, 2231315, 2231316, 2231317, 2231318, 2231319, 2231320, 2231321, 2231322, 2231323, 2231326, 2231327, 2231328, 2231329, 2231330, 2231331, 2231332, 2231333, 2231334 | ||
| Bug Blocks: | 2231799 | ||
|
Description
Vipul Nair
2023-08-11 08:00:38 UTC
Created python-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2231274] Created ansible-lint tracking bugs for this issue: Affects: fedora-all [bug 2231281] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2231282] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2231283] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2231284] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2231285] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2231286] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2231288] Created python-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2231276] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2231277] Created python-molecule tracking bugs for this issue: Affects: fedora-all [bug 2231289] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2231290] Created python-types-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2231291] Created python-uvicorn tracking bugs for this issue: Affects: fedora-all [bug 2231292] Created python-yfinance tracking bugs for this issue: Affects: fedora-all [bug 2231293] Created python3-cryptography tracking bugs for this issue: Affects: epel-all [bug 2231278] Created python3-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2231279] Created python3-docker tracking bugs for this issue: Affects: epel-all [bug 2231280] Created ansible-lint tracking bugs for this issue: Affects: fedora-all [bug 2231299] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2231300] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2231302] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2231303] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2231304] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2231305] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2231306] Created python-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2231294] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2231295] Created python-molecule tracking bugs for this issue: Affects: fedora-all [bug 2231307] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2231308] Created python-types-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2231309] Created python-uvicorn tracking bugs for this issue: Affects: fedora-all [bug 2231310] Created python-yfinance tracking bugs for this issue: Affects: fedora-all [bug 2231311] Created python3-cryptography tracking bugs for this issue: Affects: epel-all [bug 2231296] Created python3-cryptography-vectors tracking bugs for this issue: Affects: epel-all [bug 2231297] Created python3-docker tracking bugs for this issue: Affects: epel-all [bug 2231298] The affected code was introduced in upstream release 40.0 and fixed in upstream release 41.0.2. The GH security advisory https://github.com/advisories/GHSA-cf7p-gm2m-833m has the versions wrong. The NIST CVE entry https://nvd.nist.gov/vuln/detail/CVE-2023-38325 has the correct version span. Since releases < 40.0 are not affected by the bug, no released version of Fedora, CentOS Stream, or RHEL are affected. - RHEL 8 has python-cryptography-3.2.1 or lower - RHEL 8's Python 3.8 module has python38-cryptography-2.8 - RHEL 8's Python 3.9 module has python39-cryptography-3.3.1 - RHEL 9 has python-cryptography-36.0.1 or lower - sat-delivery has python-cryptography-38.0.4-1.el8pc / python-cryptography-38.0.4-1.el9pc - since python-cryptography is an AppStream package of RHEL, there shouldn't be any EPEL packages. - Fedora 37 and 38 have python-cryptography-37.0.2 - Fedora 39/Rawhide have python-cryptography-40.0.2, however Fedora 39 is not released yet. It just branched off Rawhide earlier this week. Vipul, could you please verify my findings and then close all tickets except for Fedora 39/Rawhide related tickets? I already have updates for Fedora 39/Rawhide prepared. For the record, RHEL 7.9 has python-cryptography-1.7.2 sure bud, also that should be closed out in secondary analysis I have requested an update of the GHA to add an '{"introduced": "40.0.0"}' event, https://github.com/github/advisory-database/pull/2620 . This will also silence false-positives in Quay's Clair.
|