Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python-cryptography: CVE-2020-25659: Bleichenbacher timing oracle attack against RSA decryption

Related Vulnerabilities: CVE-2020-25659  

Source

Debian Bug report logs - #973247
python-cryptography: CVE-2020-25659: Bleichenbacher timing oracle attack against RSA decryption

version graph

Package: src:python-cryptography; Maintainer for src:python-cryptography is Tristan Seligmann <mithrandi@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 27 Oct 2020 20:03:01 UTC

Severity: important

Tags: security, upstream

Found in versions python-cryptography/2.6.1-3, python-cryptography/2.6.1-3+deb10u2, python-cryptography/3.1-1

Fixed in version python-cryptography/3.2.1-1

Done: Tristan Seligmann <mithrandi@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Tristan Seligmann <mithrandi@debian.org>:
Bug#973247; Package src:python-cryptography. (Tue, 27 Oct 2020 20:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Tristan Seligmann <mithrandi@debian.org>. (Tue, 27 Oct 2020 20:03:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-cryptography: CVE-2020-25659: Bleichenbacher timing oracle attack against RSA decryption
Date: Tue, 27 Oct 2020 21:01:38 +0100
Source: python-cryptography
Version: 3.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.6.1-3+deb10u2
Control: found -1 2.6.1-3

Hi,

The following vulnerability was published for python-cryptography.

CVE-2020-25659[0]:
| bleichenbacher timing oracle attack against RSA decryption

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-25659
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25659
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1889988
[2] https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494
[3] https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476

Regards,
Salvatore

Marked as found in versions python-cryptography/2.6.1-3+deb10u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 27 Oct 2020 20:03:03 GMT) (full text, mbox, link).

Marked as found in versions python-cryptography/2.6.1-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 27 Oct 2020 20:03:04 GMT) (full text, mbox, link).

Reply sent to Tristan Seligmann <mithrandi@debian.org>:
You have taken responsibility. (Sun, 01 Nov 2020 13:51:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 01 Nov 2020 13:51:08 GMT) (full text, mbox, link).

Message #14 received at 973247-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 973247-close@bugs.debian.org
Subject: Bug#973247: fixed in python-cryptography 3.2.1-1
Date: Sun, 01 Nov 2020 13:49:11 +0000
Source: python-cryptography
Source-Version: 3.2.1-1
Done: Tristan Seligmann <mithrandi@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-cryptography, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tristan Seligmann <mithrandi@debian.org> (supplier of updated python-cryptography package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Nov 2020 15:22:43 +0200
Source: python-cryptography
Architecture: source
Version: 3.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Tristan Seligmann <mithrandi@debian.org>
Changed-By: Tristan Seligmann <mithrandi@debian.org>
Closes: 973247
Changes:
 python-cryptography (3.2.1-1) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/control: Update Vcs-* fields with new Debian Python Team Salsa
     layout.
 .
   [ Tristan Seligmann ]
   * New upstream release.
     - Closes: #973247 (CVE-2020-25659)
Checksums-Sha1:
 11b44ea9dbde5215ec7a9e07ee99851dfb224a23 3034 python-cryptography_3.2.1-1.dsc
 20708a4955dcf7e2bb53d05418273d2bc0f80ab4 540994 python-cryptography_3.2.1.orig.tar.gz
 91b2ab3b4f955fe49f0e2c91e62608912f51f4c7 488 python-cryptography_3.2.1.orig.tar.gz.asc
 8d0caea05cdb6bbe3f8c81322f0e50291cbbf397 11784 python-cryptography_3.2.1-1.debian.tar.xz
 41436d567c423e3610fd56fb13ac2e345a584bf7 9375 python-cryptography_3.2.1-1_amd64.buildinfo
Checksums-Sha256:
 fddbc1bb0c7fb73a09efeed7498c6669d8e96078168355da8def6b665e4eb004 3034 python-cryptography_3.2.1-1.dsc
 d3d5e10be0cf2a12214ddee45c6bd203dab435e3d83b4560c03066eda600bfe3 540994 python-cryptography_3.2.1.orig.tar.gz
 41cb889b5ecb9fe555667139bab7a28cd3e8911841a16b95953410c0406e417e 488 python-cryptography_3.2.1.orig.tar.gz.asc
 0c68541d2ade034952d1962ca062e832a0861bbf7d8cc673fea0a0635095cccd 11784 python-cryptography_3.2.1-1.debian.tar.xz
 19a0713e6ae1ec047203af7f32b9eae823763a857b6225f34e1982c87bd93d3d 9375 python-cryptography_3.2.1-1_amd64.buildinfo
Files:
 1e77f929f206efdbbca772b740ad0eb5 3034 python optional python-cryptography_3.2.1-1.dsc
 906eb57df20bb8a60222a5196c38d843 540994 python optional python-cryptography_3.2.1.orig.tar.gz
 049acbc45710fc9663002369ca7e8495 488 python optional python-cryptography_3.2.1.orig.tar.gz.asc
 136ce715d442cee24913d17898189f83 11784 python optional python-cryptography_3.2.1-1.debian.tar.xz
 9d93a7e2eef93e02eead3b42797b93ba 9375 python optional python-cryptography_3.2.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAl+eumBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMACgkQwImQ+x9j
eJPOyAf/YHriXPTvA5hrc4RZvUCtNN5v6T9roWbk1INC3KOArAiFcIPAJwoO8fFV
bnL51629BtJrjEQKvhYs0OpFLDyiYT9cXVJfToArj5LtFgpk6c+lORgT2+r7BQbF
RTFGD8U0FXVfrFogefa7ehUPJgAtrh5XErwpGWli42p+enOkd3RTynw2IJ7YUXwg
SY+Zva+RcBJjq7SlxZGPSfGQhN1Ch//lDThiyjes1KrXCwMOx26a16sf817BLk4F
Va4ehn5FNrYKUOSueb2DpzlOFLw/AgOpmLHMrmvE1x1k2zZSEEBudbGaoM9pejh4
G9wXqug+Ei+/dbuUf0voxmGkaIafaQ==
=d2k/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Nov 16 11:29:38 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started