[USN-6539-1] python-cryptography vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmVwp/QACgkQZWnYVadE
vpOEog/8DZGcEnNRnM1zRZLRd+DxxWechOus2q5FmmntKogbEOx7jfnkm1NT7X9W
QrbRkLBnWUIdq4Zz1BCBhbCWExyOZjvj8YniZqHeAM4VQnOSXT+ntFP3Axt12e0c
Swo8nMc5uQohn4/7YnzJGOcP5+etqDbQqF5s4bLsoP6ysc6z9+qy+IkzCB4+tkCY
guPKw9Tcx1nWFfdNCYXkCAO1OwOfRgSfwW1widOz4Ot7l4CAEEbSA3Ozv7/pSQyW
VGB0qSvve4GKQD8FtsqAbigvGFE8YxlUpHZxHZjf/U4N4r5hMsJ2/SbUFCjMd8q8
UMwQ9HHMvxFjuAMoprkMR4H++N3QE5/5Pym7pYn8/d9xPxl8BJCyK1pWrgBQ86BB
pbOpX/xlySErKVE7DS5LFFOc/fxRGM0UURiFfaGfkqmJL2wXfF86od82Lsc9dOC6
qI/c0bfQO6uwShfrC55kgs9NXFxLhTsEWAYlXCgENDx0ZL5HXC901uhR9NTGYsJl
co69aVDZCT27iWYCS59uV3OuVdHA35j9pZxDcbKp6osKihfr9RK0I1+6/Mey6whA
wioj46ZTOLTaMQYFdZgBfisHPgk/TXGh8JdQHdlwfMOF0j6zXX5y+f3I330CRX5n
QtD2RbsIjUD0495pml3RzzlbmxFt7jHLF5qyrtstNO6rDO2CbmY=
=IiAc
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6539-1
December 06, 2023

python-cryptography vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in python-cryptography.

Software Description:
- python-cryptography: Cryptography Python library

Details:

It was discovered that the python-cryptography Cipher.update_into function
would incorrectly accept objects with immutable buffers. This would result
in corrupted output, contrary to expectations. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931)

It was dicovered that python-cryptography incorrectly handled loading
certain PKCS7 certificates. A remote attacker could possibly use this
issue to cause python-cryptography to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and
Ubuntu 23.10. (CVE-2023-49083)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
python3-cryptography 38.0.4-4ubuntu0.23.10.1

Ubuntu 23.04:
python3-cryptography 38.0.4-2ubuntu0.1

Ubuntu 22.04 LTS:
python3-cryptography 3.4.8-1ubuntu2.1

Ubuntu 20.04 LTS:
python-cryptography 2.8-3ubuntu0.2
python3-cryptography 2.8-3ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6539-1
CVE-2023-23931, CVE-2023-49083

Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-4ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/3.4.8-1ubuntu2.1
https://launchpad.net/ubuntu/+source/python-cryptography/2.8-3ubuntu0.2