VulnerableCode Package Details - pkg:ebuild/dev-python/cryptography@42.0.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-48jq-1u5d-tkan	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.	CVE-2023-49083 GHSA-jfhm-5ghh-2f97 PYSEC-2023-254
VCID-bjpd-6kh8-1bbs	In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.	CVE-2020-36242 GHSA-rhm9-p9w5-fwm7 PYSEC-2021-63
VCID-g772-pn9e-7ufv	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.	CVE-2024-26130 GHSA-6vqw-3v5j-54x4 PYSEC-2024-225
VCID-u4f5-k68d-wfd1	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.	CVE-2023-23931 GHSA-w7pp-m8wf-vj6r PYSEC-2023-11

Vulnerability

Summary

Aliases

VCID-48jq-1u5d-tkan

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

CVE-2023-49083
GHSA-jfhm-5ghh-2f97
PYSEC-2023-254

VCID-bjpd-6kh8-1bbs

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

CVE-2020-36242
GHSA-rhm9-p9w5-fwm7
PYSEC-2021-63

VCID-g772-pn9e-7ufv

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225

VCID-u4f5-k68d-wfd1

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

CVE-2023-23931
GHSA-w7pp-m8wf-vj6r
PYSEC-2023-11

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:01:24.616924+00:00	Gentoo Importer	Fixing	VCID-g772-pn9e-7ufv	https://security.gentoo.org/glsa/202407-06	38.0.0
2026-04-01T13:01:24.607591+00:00	Gentoo Importer	Fixing	VCID-48jq-1u5d-tkan	https://security.gentoo.org/glsa/202407-06	38.0.0
2026-04-01T13:01:24.597899+00:00	Gentoo Importer	Fixing	VCID-u4f5-k68d-wfd1	https://security.gentoo.org/glsa/202407-06	38.0.0
2026-04-01T13:01:24.588867+00:00	Gentoo Importer	Fixing	VCID-bjpd-6kh8-1bbs	https://security.gentoo.org/glsa/202407-06	38.0.0