A vulnerability was found in Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). References: https://github.com/sybrenstuvel/python-rsa/issues/146 https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667
Created python-rsa tracking bugs for this issue: Affects: epel-all [bug 1848509] Affects: fedora-all [bug 1848508]
Upstream patch: https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30
Created python-rsa tracking bugs for this issue: Affects: openstack-rdo [bug 1851171]
External References: https://github.com/sybrenstuvel/python-rsa/issues/146
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3453 https://access.redhat.com/errata/RHSA-2020:3453
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13757
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
Statement: In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-rsa package.