+++ This bug was initially created as a clone of Bug #2250327 +++ More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2250326 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. --- Additional comment from Borja Tarraso on 2023-11-17 18:22:28 UTC --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2250326,2250327 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new --- Additional comment from Georg Sauthoff on 2023-12-21 12:32:58 UTC --- Like in Fedora <= 38, a simple fix by update for this issue is blocked by upstream's python cryptography version requirements. See also https://bugzilla.redhat.com/show_bug.cgi?id=2250331#c3 for details. --- Additional comment from Carl George 🤠 on 2024-01-23 22:39:51 UTC --- The upstream commit that fixes this CVE applies cleanly to version 2.13.2 in EPEL 9. I've prepared that as a backport patch in this pull request. https://src.fedoraproject.org/rpms/python-asyncssh/pull-request/6 The same commit does not apply cleanly to version 2.7.0 in EPEL 8, but we should at least resolve it in EPEL 9.