Bug 2214228 - RUSTSEC-2023-0042: ouroboros < 0.16 is unsound
Summary: RUSTSEC-2023-0042: ouroboros < 0.16 is unsound
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-cryptography
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Jeremy Cline
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2214198
TreeView+ depends on / blocked
 
Reported: 2023-06-12 10:09 UTC by Fabio Valentini
Modified: 2023-08-14 07:21 UTC (History)
3 users (show)

Fixed In Version: python-cryptography-41.0.3-2.fc40
Clone Of:
Environment:
Last Closed: 2023-08-14 07:21:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github pyca cryptography pull 8800 0 None Merged Switch from ourborous to self_cell 2023-06-12 12:33:49 UTC
Red Hat Issue Tracker FREEIPA-9994 0 None None None 2023-06-12 10:11:46 UTC

Description Fabio Valentini 2023-06-12 10:09:56 UTC 
c.f. https://rustsec.org/advisories/RUSTSEC-2023-0042.html

The ouroboros crate is affected by soundness issues, which could result in invalid code being generated in future versions of Rust. The upstream project recommends to migrate to the self_cell crate:

https://github.com/joshua-maros/ouroboros/issues/88

Reproducible: Always
Comment 1 Christian Heimes 2023-06-12 12:33:49 UTC 
Upstream PyCA cryptography has switched to self_cell two hours ago. The issue will be fixed with the next upstream release.
Comment 2 Fedora Update System 2023-08-14 05:41:26 UTC 
FEDORA-2023-7ecaae2a18 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7ecaae2a18
Comment 3 Fedora Update System 2023-08-14 07:21:36 UTC 
FEDORA-2023-7ecaae2a18 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.