Bugzilla – Bug 1218043
VUL-0: CVE-2023-50782: python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix
Last modified: 2024-02-23 10:36:25 UTC
Description: The fix for CVE-2020-25659 is not addressing the leakage in the RSA decryption. Because of the API design, the fix is generally not believed to be possible to be fully addressed. The issue can be mitigated by using a cryptographic backed that implements implicit rejection (Marvin workaround). Only applications that use RSA decryption with PKCS#1 v1.5 padding are affected. Implicit rejection in RHEL has shipped in 9.3.0. Will ship in 9.2.eus, 8.6.eus, 8.8.eus, and 8.9.z. No other releases are planned References: https://github.com/pyca/cryptography/issues/9785 https://people.redhat.com/~hkario/marvin/ https://github.com/openssl/openssl/pull/13817 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50782
Currently it looks like this is dependend on openssl fixing it , but openssl decided to only fix it in openssl 3. So currently we will not address this in current products.