Bug 2255331 (CVE-2023-49083)
Summary: | CVE-2023-49083 python-cryptography: NULL-dereference when loading PKCS7 certificates | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, amctagga, aoconnor, bdettelb, bniver, caswilli, davidn, dfreiber, dhalasz, drow, epacific, flucifre, gmeno, gtanzill, hhorak, hkataria, jburrell, jcammara, jhardy, jmitchel, jneedle, jobarker, jorton, jsamir, jsherril, jtanner, kaycoth, kshier, mabashia, mbenjamin, mhackett, mminar, orabin, osapryki, psegedy, python-maint, rbiba, rbobbitt, simaishi, smcdonal, sostapov, sskracic, stcannon, sthirugn, teagle, tfister, tsasak, vereddy, vkrizan, vkumar, vmugicag, yguenane, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-cryptography 41.0.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A null-pointer dereference vulnerability was found in python-cryptography during the loading of PKCS7 certificates. Invoking "load_pem_pkcs7_certificates" or "load_der_pkcs7_certificates" can trigger this issue and lead to subsequent segmentation fault and result in a Denial of Service (DoS) for any application aiming to deserialize a PKCS7 blob or certificate. The potential impact includes disruptions in system availability and stability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2255353, 2255358, 2255351, 2255352, 2255354, 2255356 | ||
Bug Blocks: | 2255359 |
Description
TEJ RATHI
2023-12-20 07:26:15 UTC
Created python-cryptography tracking bugs for this issue: Affects: fedora-all [bug 2255351] Affects: openstack-rdo [bug 2255352] Created python3-cryptography tracking bugs for this issue: Affects: epel-all [bug 2255353] FEDORA-2024-91f5df4002 (python-cryptography-41.0.7-1.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640 This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2337 https://access.redhat.com/errata/RHSA-2024:2337 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3105 https://access.redhat.com/errata/RHSA-2024:3105 |