Name | CVE-2024-26130 |
Description | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1064778 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
python-cryptography (PTS) | buster | 2.6.1-3+deb10u2 | vulnerable |
buster (security) | 2.6.1-3+deb10u4 | vulnerable | |
bullseye | 3.3.2-1 | vulnerable | |
bookworm | 38.0.4-3 | vulnerable | |
bookworm (security) | 38.0.4-3~deb12u1 | vulnerable | |
trixie | 41.0.7-4 | vulnerable | |
sid | 42.0.5-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
python-cryptography | source | (unstable) | 42.0.5-1 | 1064778 |
[bookworm] - python-cryptography <no-dsa> (Minor issue)
[bullseye] - python-cryptography <no-dsa> (Minor issue)
[buster] - python-cryptography <no-dsa> (Minor issue)
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
https://github.com/pyca/cryptography/pull/10423
Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (main)
Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4)