USN-6673-1: python-cryptography vulnerabilities

Severity

Unknown

Vendor

Canonical Ubuntu

Description

Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information. (CVE-2023-50782) It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10. (CVE-2024-26130) Update Instructions: Run `sudo pro fix USN-6673-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-cryptography – 2.1.4-1ubuntu1.4+esm1 python-cryptography – 2.1.4-1ubuntu1.4+esm1 python-cryptography-doc – 2.1.4-1ubuntu1.4+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro

Affected Cloud Foundry Products and Versions

Severity is unknown unless otherwise noted.

• Jammy Stemcells
  • 1.x versions prior to 1.404
  • All other stemcells not listed.
• CF Deployment
  • All versions with Jammy Stemcells prior to 1.404

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

• Jammy Stemcells
  • Upgrade 1.x versions to 1.404 or greater
  • All other stemcells should be upgraded to the latest version available on bosh.io.
• CF Deployment
  • For all versions, upgrade Jammy Stemcells to 1.404 or greater

History

2024-04-04: Initial vulnerability report published.