Hi Arnaud, On Wed, Mar 04, 2026 at 10:53:30AM +0700, Arnaud Rebillout wrote: > On Sat, 14 Feb 2026 13:50:47 +0100 Salvatore Bonaccorso <[email protected]> > wrote: > > The following vulnerability was published for python-cryptography. > > > > CVE-2026-26007 > > Salvatore: I understand that this CVE also needs to be fixed for trixie and > bookworm, am I correct? > > Andrey: Is it Ok with you if I prepare those two uploads? > > I started to work on backporting the fix and it looks good so far. Best,
First of all, thanks for involving the maintainer. First I do not think this warrants a DSA, the issue only affects binary elliptic curves, which according should be rarely used in real-world application. Secondly though be aware tht the implementation switched to Rust in 42.0.0, do so backports to older series needs to be done back in the python code. Regards, Salvatore
