Security update for python-cryptography SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2218-1 Final 1 1 2023-05-16T11:13:51Z current 2023-05-16T11:13:51Z 2023-05-16T11:13:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-cryptography This update for python-cryptography fixes the following issues: - CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2218,SUSE-OpenStack-Cloud-9-2023-2218,SUSE-OpenStack-Cloud-Crowbar-9-2023-2218 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232218-1/ Link for SUSE-SU-2023:2218-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014901.html E-Mail link for SUSE-SU-2023:2218-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208036 SUSE Bug 1208036 https://www.suse.com/security/cve/CVE-2023-23931/ SUSE CVE CVE-2023-23931 page SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 python-cryptography-2.3.1-3.6.6 python3-cryptography-2.3.1-3.6.6 venv-openstack-barbican-x86_64-7.0.1~dev24-3.41.2 venv-openstack-cinder-x86_64-13.0.10~dev24-3.42.3 venv-openstack-designate-x86_64-7.0.2~dev2-3.39.2 venv-openstack-glance-x86_64-17.0.1~dev30-3.37.2 venv-openstack-heat-x86_64-11.0.4~dev4-3.41.2 venv-openstack-horizon-x86_64-14.1.1~dev11-4.47.2 venv-openstack-ironic-x86_64-11.1.5~dev18-4.37.2 venv-openstack-keystone-x86_64-14.2.1~dev9-3.40.2 venv-openstack-magnum-x86_64-7.2.1~dev1-4.39.3 venv-openstack-manila-x86_64-7.4.2~dev60-3.45.2 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.39.2 venv-openstack-monasca-x86_64-2.7.1~dev10-3.41.2 venv-openstack-neutron-x86_64-13.0.8~dev209-6.47.2 venv-openstack-nova-x86_64-18.3.1~dev92-3.47.2 venv-openstack-octavia-x86_64-3.2.3~dev7-4.39.2 venv-openstack-sahara-x86_64-9.0.2~dev15-3.39.2 venv-openstack-swift-x86_64-2.19.2~dev48-2.34.2 python-cryptography-2.3.1-3.6.6 as a component of SUSE OpenStack Cloud 9 venv-openstack-barbican-x86_64-7.0.1~dev24-3.41.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-cinder-x86_64-13.0.10~dev24-3.42.3 as a component of SUSE OpenStack Cloud 9 venv-openstack-designate-x86_64-7.0.2~dev2-3.39.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-glance-x86_64-17.0.1~dev30-3.37.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-heat-x86_64-11.0.4~dev4-3.41.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-horizon-x86_64-14.1.1~dev11-4.47.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-ironic-x86_64-11.1.5~dev18-4.37.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-keystone-x86_64-14.2.1~dev9-3.40.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-magnum-x86_64-7.2.1~dev1-4.39.3 as a component of SUSE OpenStack Cloud 9 venv-openstack-manila-x86_64-7.4.2~dev60-3.45.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.39.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-monasca-x86_64-2.7.1~dev10-3.41.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-neutron-x86_64-13.0.8~dev209-6.47.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-nova-x86_64-18.3.1~dev92-3.47.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-octavia-x86_64-3.2.3~dev7-4.39.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-sahara-x86_64-9.0.2~dev15-3.39.2 as a component of SUSE OpenStack Cloud 9 venv-openstack-swift-x86_64-2.19.2~dev48-2.34.2 as a component of SUSE OpenStack Cloud 9 python-cryptography-2.3.1-3.6.6 as a component of SUSE OpenStack Cloud Crowbar 9 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. CVE-2023-23931 SUSE OpenStack Cloud 9:python-cryptography-2.3.1-3.6.6 SUSE OpenStack Cloud 9:venv-openstack-barbican-x86_64-7.0.1~dev24-3.41.2 SUSE OpenStack Cloud 9:venv-openstack-cinder-x86_64-13.0.10~dev24-3.42.3 SUSE OpenStack Cloud 9:venv-openstack-designate-x86_64-7.0.2~dev2-3.39.2 SUSE OpenStack Cloud 9:venv-openstack-glance-x86_64-17.0.1~dev30-3.37.2 SUSE OpenStack Cloud 9:venv-openstack-heat-x86_64-11.0.4~dev4-3.41.2 SUSE OpenStack Cloud 9:venv-openstack-horizon-x86_64-14.1.1~dev11-4.47.2 SUSE OpenStack Cloud 9:venv-openstack-ironic-x86_64-11.1.5~dev18-4.37.2 SUSE OpenStack Cloud 9:venv-openstack-keystone-x86_64-14.2.1~dev9-3.40.2 SUSE OpenStack Cloud 9:venv-openstack-magnum-x86_64-7.2.1~dev1-4.39.3 SUSE OpenStack Cloud 9:venv-openstack-manila-x86_64-7.4.2~dev60-3.45.2 SUSE OpenStack Cloud 9:venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.39.2 SUSE OpenStack Cloud 9:venv-openstack-monasca-x86_64-2.7.1~dev10-3.41.2 SUSE OpenStack Cloud 9:venv-openstack-neutron-x86_64-13.0.8~dev209-6.47.2 SUSE OpenStack Cloud 9:venv-openstack-nova-x86_64-18.3.1~dev92-3.47.2 SUSE OpenStack Cloud 9:venv-openstack-octavia-x86_64-3.2.3~dev7-4.39.2 SUSE OpenStack Cloud 9:venv-openstack-sahara-x86_64-9.0.2~dev15-3.39.2 SUSE OpenStack Cloud 9:venv-openstack-swift-x86_64-2.19.2~dev48-2.34.2 SUSE OpenStack Cloud Crowbar 9:python-cryptography-2.3.1-3.6.6 moderate 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232218-1/ https://www.suse.com/security/cve/CVE-2023-23931.html CVE-2023-23931 https://bugzilla.suse.com/1208036 SUSE Bug 1208036