USN-6539-1: python-cryptography vulnerabilities
24798
07 August 2024
23 July 2024
CLOSED
MEDIUM
CVE-2023-23931;CVE-2023-49083
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931) It was dicovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-49083) Update Instructions: Run `sudo pro fix USN-6539-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-cryptography - 3.4.8-1ubuntu2.1 python-cryptography-doc - 3.4.8-1ubuntu2.1 No subscription required.
Fixed and Unaffected VMware Products and Versions
- CF Deployment
- All unaffected
- Jammy Stemcells
- 1.327 or greater
- Operation Manager
- 3.0.22+LTS-T or greater
- Isolation Segment
- 6.0.x unaffected
- MySQL for VMware Tanzu
- 3.3.x unaffected
- VMware Tanzu Application Service for VMs
- 6.0.x unaffected
- Redis for Pivotal Platform
- 3.4.x unaffected
- VMware Tanzu Kubernetes Grid Integrated Edition
- 1.19.x unaffected
- VMware Tanzu RabbitMQ
- 2.3.x unaffected
References
https://ubuntu.com/security/notices/USN-6539-1
https://www.cloudfoundry.org/blog/usn-6539-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6539-1
History
2023-12-06: Initial vulnerability report published.