Your message dated Sat, 07 Mar 2026 21:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1127926: fixed in python-cryptography 43.0.0-3+deb13u1
has caused the Debian Bug report #1127926,
regarding python-cryptography: CVE-2026-26007
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127926
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-cryptography
Version: 46.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-cryptography.
CVE-2026-26007[0]:
| cryptography is a package designed to expose cryptographic
| primitives and recipes to Python developers. Prior to 46.0.5, the
| public_key_from_numbers (or
| EllipticCurvePublicNumbers.public_key()),
| EllipticCurvePublicNumbers.public_key(), load_der_public_key() and
| load_pem_public_key() functions do not verify that the point belongs
| to the expected prime-order subgroup of the curve. This missing
| validation allows an attacker to provide a public key point P from a
| small-order subgroup. This can lead to security issues in various
| situations, such as the most commonly used signature verification
| (ECDSA) and shared key negotiation (ECDH). When the victim computes
| the shared secret as S = [victim_private_key]P via ECDH, this leaks
| information about victim_private_key mod (small_subgroup_order). For
| curves with cofactor > 1, this reveals the least significant bits of
| the private key. When these weak public keys are used in ECDSA ,
| it's easy to forge signatures on the small subgroup. Only SECT
| curves are impacted by this. This vulnerability is fixed in 46.0.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26007
https://www.cve.org/CVERecord?id=CVE-2026-26007
[1] https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2
[2]
https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-cryptography
Source-Version: 43.0.0-3+deb13u1
Done: Arnaud Rebillout <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-cryptography, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arnaud Rebillout <[email protected]> (supplier of updated python-cryptography
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Mar 2026 14:17:04 +0700
Source: python-cryptography
Architecture: source
Version: 43.0.0-3+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Arnaud Rebillout <[email protected]>
Closes: 1127926
Changes:
python-cryptography (43.0.0-3+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-26007: Missing validation in EC public key creation.
(Closes: #1127926)
Checksums-Sha1:
85bc6f3163db5784ddcf1521c8dcf0f4f0b7fb35 3144
python-cryptography_43.0.0-3+deb13u1.dsc
37140feca2c57d271d51d11ef827e3875547c62e 686873
python-cryptography_43.0.0.orig.tar.gz
3841c69e4f369b2c971d58c59e31295e9875b48e 14732
python-cryptography_43.0.0-3+deb13u1.debian.tar.xz
d8d2efc88ca67f08024204461f336f32ee488d82 6313
python-cryptography_43.0.0-3+deb13u1_source.buildinfo
Checksums-Sha256:
8619854d8c6c99dcd28f05c9ccfd4513520de8afb3c59d291f93961f35eba79b 3144
python-cryptography_43.0.0-3+deb13u1.dsc
b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e 686873
python-cryptography_43.0.0.orig.tar.gz
d87dee5c6d424f6d21ef1692f8b18fd1237134ba4af8216f0e72787b43b55d1e 14732
python-cryptography_43.0.0-3+deb13u1.debian.tar.xz
07b6d1149ff0557818f5d0ca7cee4bfa94ef6664cfae3ce1df5f8855275f4dbb 6313
python-cryptography_43.0.0-3+deb13u1_source.buildinfo
Files:
a38b533ce61d3add08f47b8320b450a5 3144 python optional
python-cryptography_43.0.0-3+deb13u1.dsc
86f9bf334cee96e745ef7106151b883d 686873 python optional
python-cryptography_43.0.0.orig.tar.gz
44b0c1e4316f7c5ca66cc54185ebd95e 14732 python optional
python-cryptography_43.0.0-3+deb13u1.debian.tar.xz
a0ad1560ffe91c6f08a2fbb0ac2dd3f6 6313 python optional
python-cryptography_43.0.0-3+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmmqL5kTHGFybmF1ZHJA
ZGViaWFuLm9yZwAKCRDnJeh5FGACFqRSD/4kvhIr9FKCHCW5fY5XCME7X7LD+EJ/
daeJa5PwNBUvzekW56plINc8MgInKY7D+DmLoJ1z1BHvML3gUQbspmumjWxafX3x
ZGBjzGF1D5m0DeOmmUSogohAtaKqDTvJoawE1Bcr26goXD5FuhwfAtndZ8CVi5NJ
O9BGX2JhlfflyOix5ykglqHDG4bLhV2BSYa5fac1tWtSH7CAqXlGrJob0XBT4a44
lhRO8+6zKmGvQ9W6m/lZkaRQapLcjlrXF0tQBGyX9K3tFOe99e4RIiPJpvLHyf8T
oC3dxHcaj/TjMrej3JUHh8MPiAxmZyJQbGpGd0S6q7HcW0EQcOChqwGqtQyTLgTj
gNYDh3oy5+Gtwf2e9KyZkSTAFLxai+gcdEduOvbHmTH4VDmJgXXbzFz7LNK/RTvS
ntZLPNXbMOa6Exc5LTaSMjnwtEjQJNqeRf3EY0NhVsz9MFu6WzXVRl6UU97WsWwY
P/xPIC4siVgU5WPunKM1DqJjBQ2CQzWrZK46W06x4UNa+lKb42c9HweWm/+JZwI+
QnwbjDeWQ4TtYaHO2ArChfmGXHgOscAnlwWpG+rLoCVnsYo+X8QFxEhYh5+SHYO9
PjIWV9AVWSIO/XwvGotEK+zznSnVF8LRaMOibuxgS6g5cYMPdqtXrI732bzc3mBf
laOamcrzCuTTfg==
=5bTa
-----END PGP SIGNATURE-----
pgpsFS_U3_r7h.pgp
Description: PGP signature
--- End Message ---
