Source: python-cryptography Version: 41.0.7-3 Severity: important Tags: security upstream Forwarded: https://github.com/pyca/cryptography/pull/10423 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-cryptography. CVE-2024-26130[0]: | cryptography is a package designed to expose cryptographic | primitives and recipes to Python developers. Starting in version | 38.0.0 and prior to version 42.0.4, if | `pkcs12.serialize_key_and_certificates` is called with both a | certificate whose public key did not match the provided private key | and an `encryption_algorithm` with `hmac_hash` set (via | `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a | NULL pointer dereference would occur, crashing the Python process. | This has been resolved in version 42.0.4, the first version in which | a `ValueError` is properly raised. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26130 https://www.cve.org/CVERecord?id=CVE-2024-26130 [1] https://github.com/pyca/cryptography/pull/10423 [2] https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore