Description: The fix for CVE-2020-25659 is not addressing the leakage in the RSA decryption. Because of the API design, the fix is generally not believed to be possible to be fully addressed. The issue can be mitigated by using a cryptographic backed that implements implicit rejection (Marvin workaround). Only applications that use RSA decryption with PKCS#1 v1.5 padding are affected. Implicit rejection in RHEL has shipped in 9.3.0. Will ship in 9.2.eus, 8.6.eus, 8.8.eus, and 8.9.z. No other releases are planned References: https://github.com/pyca/cryptography/issues/9785 https://people.redhat.com/~hkario/marvin/ https://github.com/openssl/openssl/pull/13817
Created python-cryptography tracking bugs for this issue: Affects: openstack-rdo [bug 2254438]
Created python-cryptography tracking bugs for this issue: Affects: fedora-38 [bug 2254465] Affects: fedora-39 [bug 2254466]
python-cryptography on Fedora is not affected by the timing oracle vulnerability, because Fedora's OpenSSL comes with a backport of implicit rejection for RSA PKCS#1 v1.5 encryption. The mitigation prevents timing attacks.
Note: this is mitigated through changes in RHEL-9 openssl since openssl-3.0.7-24.el9 (https://access.redhat.com/errata/RHBA-2023:6627) and in RHEL-8 openssl since openssl-1.1.1k-12.el8_9 (https://access.redhat.com/errata/RHSA-2023:7877)
Actually the "fixed version" is incorrect for Fedora, CentOS, and RHEL. The fix for the CVE is not in python-cryptography but in OpenSSL. The binary packages from upstream PyCA Cryptography are no longer affected by the bug, because they are shipping binaries with OpenSSL 3.2.0. Upstream OpenSSL 3.2.0 comes with a fix for the timing oracle. Fedora, CentOS, and RHEL are not using the binary packages from upstream. We are building against our own copy of OpenSSL. Our OpenSSL packages have a backport of the 3.2.0 mitigation since mid of last year. See Hubert's comment #7.