Your message dated Sat, 14 Feb 2026 20:41:28 +0100
with message-id <[email protected]>
and subject line Re: Accepted python-cryptography 46.0.5-1 (source) into
unstable
has caused the Debian Bug report #1127926,
regarding python-cryptography: CVE-2026-26007
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127926
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-cryptography
Version: 46.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-cryptography.
CVE-2026-26007[0]:
| cryptography is a package designed to expose cryptographic
| primitives and recipes to Python developers. Prior to 46.0.5, the
| public_key_from_numbers (or
| EllipticCurvePublicNumbers.public_key()),
| EllipticCurvePublicNumbers.public_key(), load_der_public_key() and
| load_pem_public_key() functions do not verify that the point belongs
| to the expected prime-order subgroup of the curve. This missing
| validation allows an attacker to provide a public key point P from a
| small-order subgroup. This can lead to security issues in various
| situations, such as the most commonly used signature verification
| (ECDSA) and shared key negotiation (ECDH). When the victim computes
| the shared secret as S = [victim_private_key]P via ECDH, this leaks
| information about victim_private_key mod (small_subgroup_order). For
| curves with cofactor > 1, this reveals the least significant bits of
| the private key. When these weak public keys are used in ECDSA ,
| it's easy to forge signatures on the small subgroup. Only SECT
| curves are impacted by this. This vulnerability is fixed in 46.0.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26007
https://www.cve.org/CVERecord?id=CVE-2026-26007
[1] https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2
[2]
https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-cryptography
Source-Version: 46.0.5-1
Hi Andrey,
Thanks for the upload, closing as well the BTS bug with that version.
On Sat, Feb 14, 2026 at 02:20:13PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 14 Feb 2026 18:51:07 +0500
> Source: python-cryptography
> Architecture: source
> Version: 46.0.5-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Andrey Rakhmatullin <[email protected]>
> Changes:
> python-cryptography (46.0.5-1) unstable; urgency=medium
> .
> * New upstream version.
> + Fix CVE-2026-26007.
> * Bump Standards-Version to 4.7.3.
> Checksums-Sha1:
> 8415a3509e7da2878e700abced15a19db27a1d12 3320
> python-cryptography_46.0.5-1.dsc
> 9fc177e18310f3bce678b822afb569be24952ff3 750064
> python-cryptography_46.0.5.orig.tar.gz
> 81095a918fb95855d8fc0a9003be208a20b3759b 14776
> python-cryptography_46.0.5-1.debian.tar.xz
> e06367b60f02c78c7974eda25d21b45eec5a3975 28354
> python-cryptography_46.0.5-1_amd64.buildinfo
> Checksums-Sha256:
> df9a1157183b8640690cbff709cb0f717ef80729c671136935d2810fc42c6a51 3320
> python-cryptography_46.0.5-1.dsc
> abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d 750064
> python-cryptography_46.0.5.orig.tar.gz
> 7ad672580b682ec4baa292bc6f3027e97bddeb5aa2f9d978703415a1526dc5eb 14776
> python-cryptography_46.0.5-1.debian.tar.xz
> 757184fc1f8cec5bbb65686f7dfe7692c8da76cd45602126f5ae30424d44e87f 28354
> python-cryptography_46.0.5-1_amd64.buildinfo
> Files:
> 6a068c0abfc07b31d0edbde84398ac43 3320 python optional
> python-cryptography_46.0.5-1.dsc
> 6868a503d9a78b7d59a4858a17b338a0 750064 python optional
> python-cryptography_46.0.5.orig.tar.gz
> cfdc839f6d33d2b54b59be687556702b 14776 python optional
> python-cryptography_46.0.5-1.debian.tar.xz
> c1b20fa8133e25a4e859e36387c84733 28354 python optional
> python-cryptography_46.0.5-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEtf6ieDcfC1EgtGkao+OWn23e7IYFAmmQfq4ACgkQo+OWn23e
> 7IYldxAA0J0uW8KjZwzQdDE5nnp2Zo45fpw6ikilhWXnkMRROLsp5SqFeugbEzr8
> onsfVzq7IRbvPU3GEz/PRJPJXQB2U8DQXNhOulhm2sDcr6HjdOXCF5tGN01+O/t4
> cEYX6c9VhhXeLerpYra2u87S0Agr1D3LoKey0mn775/Flsy4tjMSfnibiLQB6R3w
> bIShUS8D0j9/ntSla3BIFtd1qjmi6FZMC6LlKW1tNM6aTFeDqrCbrJJIX8t7E99T
> GdvAWG4JZ3vgEu194jEvs24Acy04GrqK4cV8DDacLbBXfInECSv4uIFWCM2WgH2f
> K3V3ISeQtRZOFqUeZaH5ryM6ML8W/CgzjKkYNy3IYCO8rQRe5562miD0GkBZJWeb
> pBz4n1RZd+8midORi608oD0OIhrw04g0twSg+fJsIiIJvLnshqt3PTsC88abkIuI
> RCQ8vTbkYlpCVWFmKZaYJLABRrxbCAbrMGsiLUQ+izbZD5d8Tuo+UvxCOVzZpZwU
> vaP+XqfTl4nCoVP6UDotE0sm0XQW6XVfILglJ3tyZf04JuXAXYlVbTBmu8935u/n
> p5DqHhWS4d/8dhj1+74jPdZVaG/G9zkczP/zZgc44HwcGvnbTtgRy8JWxHmm0RJl
> Rr9WCMiK1Wver0piEIY2/CTyOpkD8tcLTPZ5g6yH7al3AIajYmY=
> =1Hl+
> -----END PGP SIGNATURE-----
--- End Message ---
