Bugzilla – Bug 1217592
VUL-0: CVE-2023-49083: python-cryptography,python3-cryptography: NULL pointer dereference when loading certificates from a PKCS#7 bundle
Last modified: 2024-07-19 12:42:37 UTC
CVE-2023-49083 A null-pointer-dereference and segfault could occur when loading certificates from a PKCS#7 bundle. References: https://cryptography.io/en/latest/changelog/#v41-0-6
This is an autogenerated message for OBS integration: This bug (1217592) was mentioned in https://build.opensuse.org/request/show/1129560 Factory / python-cryptography
I have as affected these channels (everything less than 41.0.6): ALP:Source:Standard:1.0 SUBMITTED SLE-12-SP2:Update SLE-12-SP3:Update:Products:Cloud8:Update SLE-12-SP4:Update:Products:Cloud9:Update SLE-15-SP1:Update SLE-15-SP2:Update SLE-15-SP4:Update openSUSE:Factory SUBMITTED
(In reply to Matej Cepl from comment #3) > I have as affected these channels (everything less than 41.0.6): > > ALP:Source:Standard:1.0 SUBMITTED > SLE-12-SP2:Update > SLE-12-SP3:Update:Products:Cloud8:Update > SLE-12-SP4:Update:Products:Cloud9:Update > SLE-15-SP1:Update > SLE-15-SP2:Update > SLE-15-SP4:Update > openSUSE:Factory SUBMITTED The vulnerability was introduced with the addition of PKCS7 certificate parsing [1], so anything older than 3.1 [2] is not affected, so this is the list of affected channels updated: ALP:Source:Standard:1.0 SUBMITTED openSUSE:Factory SUBMITTED SLE-15-SP4:Update (41.0.3) SUBMITTED SLE-12-SP2:Update (2.8) NOT AFFECTED SLE-12-SP3:Update:Products:Cloud8:Update (2.0.3) NOT AFFECTED SLE-12-SP4:Update:Products:Cloud9:Update (2.3.1) NOT AFFECTED SLE-15-SP1:Update (3.3.2) SLE-15-SP2:Update (3.3.2) SLE-15-SP4:Update/python3-cryptography (3.3.2) [1] https://github.com/pyca/cryptography/commit/c898871daac710f00154cb7041e3876fc66c1ef5 [2] https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#31---2020-08-26
SUSE-SU-2023:4844-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217592 CVE References: CVE-2023-49083 Sources used: Public Cloud Module 15-SP1 (src): python-cryptography-3.3.2-150100.7.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4843-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217592 CVE References: CVE-2023-49083 Sources used: openSUSE Leap 15.4 (src): python3-cryptography-3.3.2-150400.23.1 openSUSE Leap Micro 5.3 (src): python3-cryptography-3.3.2-150400.23.1 openSUSE Leap Micro 5.4 (src): python3-cryptography-3.3.2-150400.23.1 openSUSE Leap 15.5 (src): python3-cryptography-3.3.2-150400.23.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-cryptography-3.3.2-150400.23.1 SUSE Linux Enterprise Micro 5.3 (src): python3-cryptography-3.3.2-150400.23.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-cryptography-3.3.2-150400.23.1 SUSE Linux Enterprise Micro 5.4 (src): python3-cryptography-3.3.2-150400.23.1 SUSE Linux Enterprise Micro 5.5 (src): python3-cryptography-3.3.2-150400.23.1 Basesystem Module 15-SP4 (src): python3-cryptography-3.3.2-150400.23.1 Basesystem Module 15-SP5 (src): python3-cryptography-3.3.2-150400.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4842-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217592 CVE References: CVE-2023-49083 Sources used: openSUSE Leap 15.4 (src): python-cryptography-test-41.0.3-150400.16.12.1, python-cryptography-41.0.3-150400.16.12.1 openSUSE Leap 15.5 (src): python-cryptography-41.0.3-150400.16.12.1 Python 3 Module 15-SP4 (src): python-cryptography-41.0.3-150400.16.12.1 Python 3 Module 15-SP5 (src): python-cryptography-41.0.3-150400.16.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4921-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217592 CVE References: CVE-2023-49083 Sources used: SUSE Linux Enterprise Micro 5.1 (src): python-cryptography-3.3.2-150200.22.1 SUSE Linux Enterprise Micro 5.2 (src): python-cryptography-3.3.2-150200.22.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-cryptography-3.3.2-150200.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2375-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217592 CVE References: CVE-2023-49083 Maintenance Incident: [SUSE:Maintenance:31650](https://smelt.suse.de/incident/31650/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): python3-cryptography-3.3.2-150400.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.