Source: python-cryptography Version: 38.0.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.3.2-1
Hi, The following vulnerability was published for python-cryptography. CVE-2023-23931[0]: | cryptography is a package designed to expose cryptographic primitives | and recipes to Python developers. In affected versions | `Cipher.update_into` would accept Python objects which implement the | buffer protocol, but provide only immutable buffers. This would allow | immutable objects (such as `bytes`) to be mutated, thus violating | fundamental rules of Python and resulting in corrupted output. This | now correctly raises an exception. This issue has been present since | `update_into` was originally introduced in cryptography 1.8. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23931 https://www.cve.org/CVERecord?id=CVE-2023-23931 [1] https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r [2] https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
