VulnerableCode Package Details - pkg:deb/debian/python-cryptography@38.0.4-3%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-ddhe-4ck9-aaam Aliases: CVE-2023-50782 GHSA-3ww4-gg4f-jr7f	python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659	43.0.0-1 Affected by 0 other vulnerabilities. 43.0.0-2 Affected by 0 other vulnerabilities. 43.0.0-3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ddhe-4ck9-aaam
Aliases:
CVE-2023-50782
GHSA-3ww4-gg4f-jr7f

python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659

43.0.0-1
Affected by 0 other vulnerabilities.

43.0.0-2
Affected by 0 other vulnerabilities.

43.0.0-3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-uvg4-qjhy-aaaq	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.	CVE-2023-49083 GHSA-jfhm-5ghh-2f97 PYSEC-2023-254
VCID-vqz2-zd9g-aaab	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.	CVE-2023-23931 GHSA-w7pp-m8wf-vj6r PYSEC-0000-CVE-2023-23931 PYSEC-2023-11
VCID-wmwm-snjw-aaam	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.	CGA-f4qg-9fw4-8247 CVE-2024-26130 GHSA-6vqw-3v5j-54x4 PYSEC-2024-225

Vulnerability

Summary

Aliases

VCID-uvg4-qjhy-aaaq

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

CVE-2023-49083
GHSA-jfhm-5ghh-2f97
PYSEC-2023-254

VCID-vqz2-zd9g-aaab

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

CVE-2023-23931
GHSA-w7pp-m8wf-vj6r
PYSEC-0000-CVE-2023-23931
PYSEC-2023-11

VCID-wmwm-snjw-aaam

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

CGA-f4qg-9fw4-8247
CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T23:59:04.292703+00:00	Debian Importer	Fixing	VCID-uvg4-qjhy-aaaq	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-21T17:53:04.130152+00:00	Debian Importer	Fixing	VCID-wmwm-snjw-aaam	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-21T04:25:49.248803+00:00	Debian Importer	Affected by	VCID-ddhe-4ck9-aaam	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T23:33:59.002335+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	None	36.1.3
2025-06-20T22:45:58.911882+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-04-13T02:12:07.709613+00:00	Debian Oval Importer	Fixing	VCID-uvg4-qjhy-aaaq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-13T02:12:04.943049+00:00	Debian Oval Importer	Fixing	VCID-vqz2-zd9g-aaab	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-05T19:18:58.717883+00:00	Debian Importer	Fixing	VCID-uvg4-qjhy-aaaq	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-05T14:02:37.591235+00:00	Debian Importer	Fixing	VCID-wmwm-snjw-aaam	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T07:15:01.882306+00:00	Debian Importer	Affected by	VCID-ddhe-4ck9-aaam	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T02:14:46.530568+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	None	36.0.0
2025-04-04T01:25:06.146155+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-02-21T18:55:59.662995+00:00	Debian Importer	Fixing	VCID-wmwm-snjw-aaam	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T15:00:39.715686+00:00	Debian Importer	Affected by	VCID-ddhe-4ck9-aaam	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T14:52:37.483611+00:00	Debian Importer	Fixing	VCID-uvg4-qjhy-aaaq	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T09:34:09.797008+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	None	35.1.0
2025-02-21T09:34:07.030154+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	https://security-tracker.debian.org/tracker/data/json	35.1.0
2024-11-24T07:13:49.777687+00:00	Debian Importer	Fixing	VCID-wmwm-snjw-aaam	https://security-tracker.debian.org/tracker/data/json	35.0.0
2024-11-24T03:58:07.574348+00:00	Debian Importer	Affected by	VCID-ddhe-4ck9-aaam	https://security-tracker.debian.org/tracker/data/json	35.0.0
2024-11-23T23:10:59.995488+00:00	Debian Importer	Fixing	VCID-vqz2-zd9g-aaab	https://security-tracker.debian.org/tracker/data/json	35.0.0