Your message dated Sat, 19 Oct 2024 20:35:40 +0000
with message-id <[email protected]>
and subject line Bug#1064778: fixed in python-cryptography 38.0.4-3+deb12u1
has caused the Debian Bug report #1064778,
regarding python-cryptography: CVE-2024-26130
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1064778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064778
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-cryptography
Version: 41.0.7-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/pyca/cryptography/pull/10423
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-cryptography.
CVE-2024-26130[0]:
| cryptography is a package designed to expose cryptographic
| primitives and recipes to Python developers. Starting in version
| 38.0.0 and prior to version 42.0.4, if
| `pkcs12.serialize_key_and_certificates` is called with both a
| certificate whose public key did not match the provided private key
| and an `encryption_algorithm` with `hmac_hash` set (via
| `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a
| NULL pointer dereference would occur, crashing the Python process.
| This has been resolved in version 42.0.4, the first version in which
| a `ValueError` is properly raised.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-26130
https://www.cve.org/CVERecord?id=CVE-2024-26130
[1] https://github.com/pyca/cryptography/pull/10423
[2] https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-cryptography
Source-Version: 38.0.4-3+deb12u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-cryptography, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-cryptography package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Oct 2024 19:53:04 +0300
Source: python-cryptography
Architecture: source
Version: 38.0.4-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Tristan Seligmann <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1057108 1064778
Changes:
python-cryptography (38.0.4-3+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* CVE-2023-49083: NULL dereference when loading PKCS7 certificates
(Closes: #1057108)
* CVE-2024-26130: NULL dereference when PKCS#12 key and cert don't match
(Closes: #1064778)
Checksums-Sha1:
bf328544a17aaf9395675ab998eda627daf8e17d 3570
python-cryptography_38.0.4-3+deb12u1.dsc
b78bfafc114088c11298d69367b9f98a3bbb41db 599786
python-cryptography_38.0.4.orig.tar.gz
aecb408cfb72c3224ed7c0da7c82acda5c0df43e 488
python-cryptography_38.0.4.orig.tar.gz.asc
ddf884f814adc63f729926c60f1d6def7941810c 23644
python-cryptography_38.0.4-3+deb12u1.debian.tar.xz
Checksums-Sha256:
08127808ed330565eb3f1ab696fbd6e89f408161d9745d2bad365f78acd7dd16 3570
python-cryptography_38.0.4-3+deb12u1.dsc
175c1a818b87c9ac80bb7377f5520b7f31b3ef2a0004e2420319beadedb67290 599786
python-cryptography_38.0.4.orig.tar.gz
09ddc5bab3140faba2fe03980b6d167d2ff1980ed55d0fa8399caa7a42d765ff 488
python-cryptography_38.0.4.orig.tar.gz.asc
e5a11f3dd11175f14250ff5a46ee244e8f879c307d04dc82d902873097e6454e 23644
python-cryptography_38.0.4-3+deb12u1.debian.tar.xz
Files:
b00596b010c344c84f4c8f2d682803e3 3570 python optional
python-cryptography_38.0.4-3+deb12u1.dsc
2b8b23b955b43994f222f78faf17713b 599786 python optional
python-cryptography_38.0.4.orig.tar.gz
7b235f46357e0f9192f0a13028978ba5 488 python optional
python-cryptography_38.0.4.orig.tar.gz.asc
b87628ef4e94c822995d96254430437f 23644 python optional
python-cryptography_38.0.4-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmcTueMACgkQiNJCh6LY
mLH5gw/8CJg/r4NqYUsYwUff8G715LIFrSmLN+LPKfAnrrTxk9XC0NjHT4Fpy03t
l74pn277Yp7gorAMMP2slcVuUSqcPBWeaefw+X1nZkxNYLDbTs4/I2uQMdfSQ4jo
QOZYvWkqa0fQ+65b4uTpfUkbupHQStXqWYH9Lm7pqL36a79kBHlRRRGipww+z5yx
jigOiypZ/3ZGR61EkdsgL+sPne6X0If/r/9y6QrAlKVXfxEMo1t21Pfpz0hhUJtG
wLRgRmm0I/LqgMpxe3/0VEdIEEhbebtygeMfoXmHrvgHcw9zWJlIMgiBftwOkeYe
gDjCz8O6VfVm9vCloc3l5ge7m1aS6FM58DNfiMJdASrvLomyKU318L8DhoWqDvXz
b67wsaNV7VE/CaD/3OPfyERfOAUDK/Y+0T7QVVT/0vc01eHRrdw+CJK/ikAynKtp
skvH6tpo+UseISM5Y+TDhXD+WSOH3iY6SDF/5TpUVnIWvMVAC8vKr/PGEzY30YWC
vc/+nFxC6TOqJNQDMGe+xgKlXB2JknOz0oGSWi3WcPpu6aF/EtvnZyvNsMDDBTWJ
XXcbaKp6GjE20ORCqkHOnU0H7D8mVnGtIfigcOamRH/0LNt+BEt6zWkqWmZ4MdeY
NXpYlPvtcpQ4SZzh7vCX6sRGbx7iKPcYe+Z1nELJLJugmIcRS7g=
=x64W
-----END PGP SIGNATURE-----
pgpJy6VSWJMK9.pgp
Description: PGP signature
--- End Message ---
