[SECURITY] [DLA 3331-2] python-cryptography security update

2023-02-2707:39:06

lists.debian.org

python library encryption

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.1%

JSON

Debian LTS Advisory DLA-3331-2 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
February 27, 2023 https://wiki.debian.org/LTS

Package : python-cryptography
Version : 2.6.1-3+deb10u4
CVE ID : CVE-2023-23931

It was discovered that there was a regression in the previous fix for
python-cryptography, a Python library offering a number of encryption
and cryptography primitives.

The original issue was that there was a potential memory corrution
vulnerability. However, the change introduced a regression due to
incorrectly backporting upstream's patch to the (older) version in
Debian LTS.

For Debian 10 buster, this problem has been fixed in version
2.6.1-3+deb10u4.

We recommend that you upgrade your python-cryptography packages.

For the detailed security status of python-cryptography please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-cryptography

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10armhfpython3-cryptography-dbgsym< 2.6.1-3+deb10u4python3-cryptography-dbgsym_2.6.1-3+deb10u4_armhf.deb
Debian10amd64python-cryptography-dbgsym< 2.6.1-3+deb10u4python-cryptography-dbgsym_2.6.1-3+deb10u4_amd64.deb
Debian10i386python3-cryptography-dbgsym< 2.6.1-3+deb10u4python3-cryptography-dbgsym_2.6.1-3+deb10u4_i386.deb
Debian10arm64python-cryptography< 2.6.1-3+deb10u4python-cryptography_2.6.1-3+deb10u4_arm64.deb
Debian10allpython-cryptography-doc< 2.6.1-3+deb10u4python-cryptography-doc_2.6.1-3+deb10u4_all.deb
Debian10arm64python3-cryptography-dbgsym< 2.6.1-3+deb10u4python3-cryptography-dbgsym_2.6.1-3+deb10u4_arm64.deb
Debian10allpython-cryptography< 2.6.1-3+deb10u4python-cryptography_2.6.1-3+deb10u4_all.deb
Debian10armhfpython3-cryptography< 2.6.1-3+deb10u4python3-cryptography_2.6.1-3+deb10u4_armhf.deb
Debian10amd64python-cryptography< 2.6.1-3+deb10u4python-cryptography_2.6.1-3+deb10u4_amd64.deb
Debian10armhfpython-cryptography-dbgsym< 2.6.1-3+deb10u4python-cryptography-dbgsym_2.6.1-3+deb10u4_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armhf	python3-cryptography-dbgsym	< 2.6.1-3+deb10u4	python3-cryptography-dbgsym_2.6.1-3+deb10u4_armhf.deb
Debian	10	amd64	python-cryptography-dbgsym	< 2.6.1-3+deb10u4	python-cryptography-dbgsym_2.6.1-3+deb10u4_amd64.deb
Debian	10	i386	python3-cryptography-dbgsym	< 2.6.1-3+deb10u4	python3-cryptography-dbgsym_2.6.1-3+deb10u4_i386.deb
Debian	10	arm64	python-cryptography	< 2.6.1-3+deb10u4	python-cryptography_2.6.1-3+deb10u4_arm64.deb
Debian	10	all	python-cryptography-doc	< 2.6.1-3+deb10u4	python-cryptography-doc_2.6.1-3+deb10u4_all.deb
Debian	10	arm64	python3-cryptography-dbgsym	< 2.6.1-3+deb10u4	python3-cryptography-dbgsym_2.6.1-3+deb10u4_arm64.deb
Debian	10	all	python-cryptography	< 2.6.1-3+deb10u4	python-cryptography_2.6.1-3+deb10u4_all.deb
Debian	10	armhf	python3-cryptography	< 2.6.1-3+deb10u4	python3-cryptography_2.6.1-3+deb10u4_armhf.deb
Debian	10	amd64	python-cryptography	< 2.6.1-3+deb10u4	python-cryptography_2.6.1-3+deb10u4_amd64.deb
Debian	10	armhf	python-cryptography-dbgsym	< 2.6.1-3+deb10u4	python-cryptography-dbgsym_2.6.1-3+deb10u4_armhf.deb