Bug 2257028 (CVE-2023-52323)
Summary: | CVE-2023-52323 pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, apevec, bbuckingham, bcourt, dalley, davidn, dfreiber, drow, eglynn, ehelms, epacific, jburrell, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, jsherril, kshier, kyoshida, lhh, lmadsen, lsvaty, lzap, mabashia, mburns, mgarciac, mhulan, mrunge, nmoumoul, orabin, osapryki, pcreech, pgrist, rchan, rhos-maint, simaishi, smcdonal, stcannon, teagle, tfister, vkumar, yguenane, ytale, zsadeh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pycryptodome 3.19.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in PyCryptodome/pycryptodomex which may allow for side-channel leakage when performing OAEP decryption, which could be exploited to carry out a Manger attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2257029, 2257030, 2264203, 2257031, 2257032, 2257033, 2257034, 2257035, 2261628, 2261630, 2261631, 2261632 | ||
Bug Blocks: | 2257027 |
Description
Rohit Keshri
2024-01-06 06:13:32 UTC
Created 2ping tracking bugs for this issue: Affects: fedora-all [bug 2257030] Created pysnmp tracking bugs for this issue: Affects: openstack-rdo [bug 2257034] pulp_container, and the dependency pyjwkest, seem to be perfectly compatible with pycryptodome 3.19.1+. Our upstream CI seems to currently use 3.20.0 with no issues Therefore, we can resolve this issue by simply upgrading the pycrytpodome package without needing any other code changes. Thank you for confirming Daniel. We have now revised the impact of Satellite to Low and updated the corresponding statement. This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1155 https://access.redhat.com/errata/RHSA-2024:1155 This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2132 https://access.redhat.com/errata/RHSA-2024:2132 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2952 https://access.redhat.com/errata/RHSA-2024:2952 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2968 https://access.redhat.com/errata/RHSA-2024:2968 |