Headline
CVE-2023-4380
A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
Issued:
2023-08-21
Updated:
2023-08-29
RHSA-2023:4693 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat Ansible Automation Platform 2.4
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
- automation-eda-controller: token exposed at importing project (CVE-2023-4380)
- python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
- python3-django/python39-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
- python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional changes for Event-Driven Ansible:
- automation-eda-controller has been updated to 1.0.1
- Contributor and editor roles now have permissions to access users and set the AWX token. (AAP-11573)
- The onboarding wizard now requests controller token creation. (AAP-11907)
- Corrected the filtering capability of the Rule Audit screens so that a search yields results with the “starts with” function. (AAP-11987)
- Enabling or disabling rulebook activation no longer increases the restarts counter by 1. (AAP-12042)
- Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time. (AAP-12446)
- Audit records are no longer missing when running activations with multiple jobs. (AAP-12522)
- The event payload is no longer missing key attributes when a job template fails. (AAP-12529)
- Fixed the Git token leak that occurs when importing a project fails. (AAP-12767)
- The restart policy in Kubernetes (k8s) now restarts successful activation that is incorrectly marked as failed. (AAP-12862)
- Activation statuses are now reported correctly, whether you are disabling or enabling them. (AAP-12896)
- When run_job_template action fails now, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so that the user is alerted that the rule has failed. (AAP-12909)
- When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently. (AAP-13093)
- The Rulebook Activation link now functions correctly in the Rule Audit Detail UI. (AAP-13182)
- Fixed a bug where ansible-rulebook prevented the execution, if the connection with the controller was not successful when controller was not required by the rulebook. (AAP-13209)
- Fixed a bug where some audit rule records had the wrong rulebook link. (AAP-13844)
- Fixed a bug where only the first 10 audit rules had the right link. (AAP-13845)
- Previously project credentials could not be updated if there was a change to the credential used in the project. Now credentials can be updated in a project with a new or different credential. (AAP-13983)
- The User Access section of the navigation panel no longer disappears after creating a decision environment. (AAP-14273)
- Fixed a bug where filtering for audit rules didn’t work properly on OpenShift Container Platform. (AAP-14512)
Solution
Red Hat Ansible Automation Platform
Affected Products
- Red Hat Ansible Automation Platform 2.4 for RHEL 9 x86_64
- Red Hat Ansible Automation Platform 2.4 for RHEL 9 s390x
- Red Hat Ansible Automation Platform 2.4 for RHEL 9 ppc64le
- Red Hat Ansible Automation Platform 2.4 for RHEL 9 aarch64
- Red Hat Ansible Automation Platform 2.4 for RHEL 8 x86_64
- Red Hat Ansible Automation Platform 2.4 for RHEL 8 s390x
- Red Hat Ansible Automation Platform 2.4 for RHEL 8 ppc64le
- Red Hat Ansible Automation Platform 2.4 for RHEL 8 aarch64
- Red Hat Ansible Inside 1.2 for RHEL 9 x86_64
- Red Hat Ansible Inside 1.2 for RHEL 9 s390x
- Red Hat Ansible Inside 1.2 for RHEL 9 ppc64le
- Red Hat Ansible Inside 1.2 for RHEL 9 aarch64
- Red Hat Ansible Inside 1.2 for RHEL 8 x86_64
- Red Hat Ansible Inside 1.2 for RHEL 8 s390x
- Red Hat Ansible Inside 1.2 for RHEL 8 ppc64le
- Red Hat Ansible Inside 1.2 for RHEL 8 aarch64
- Red Hat Ansible Developer 1.1 for RHEL 9 x86_64
- Red Hat Ansible Developer 1.1 for RHEL 9 s390x
- Red Hat Ansible Developer 1.1 for RHEL 9 ppc64le
- Red Hat Ansible Developer 1.1 for RHEL 9 aarch64
- Red Hat Ansible Developer 1.1 for RHEL 8 x86_64
- Red Hat Ansible Developer 1.1 for RHEL 8 s390x
- Red Hat Ansible Developer 1.1 for RHEL 8 ppc64le
- Red Hat Ansible Developer 1.1 for RHEL 8 aarch64
Fixes
- BZ - 2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects
- BZ - 2209469 - CVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization header
- BZ - 2218004 - CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
- BZ - 2232324 - CVE-2023-4380 Ansible: token exposed at importing project
CVEs
- CVE-2023-4380
- CVE-2023-23931
- CVE-2023-32681
- CVE-2023-36053
Red Hat Ansible Automation Platform 2.4 for RHEL 9
SRPM
automation-eda-controller-1.0.1-1.el9ap.src.rpm
SHA-256: 46b2772bdb44d06eb979a9b64831dc02cd3095ec95ba038994465a25b92e9c41
python-cryptography-38.0.4-2.el9ap.src.rpm
SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739
python-django-3.2.20-1.el9ap.src.rpm
SHA-256: 739890cbf5c8d04f262cb48266b80c0bdb5ad625481f1e22f4a6b635f08b5b42
python-requests-2.31.0-1.el9ap.src.rpm
SHA-256: cad6bbc37323d0aa6d79c625179790f4432c4a4c2c4a84fe6a4f79e3dda170c3
python-rsa-4.7.2-1.el9ap.src.rpm
SHA-256: c53a3ac4dcee14be24fc95c62960ee095951c40aea2c21a2f5f817594acb2539
x86_64
automation-eda-controller-1.0.1-1.el9ap.noarch.rpm
SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489
automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm
SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c
automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm
SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120
python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm
SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9
python3-cryptography-38.0.4-2.el9ap.x86_64.rpm
SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443
python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm
SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97
python3-django-3.2.20-1.el9ap.noarch.rpm
SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864
python3-requests-2.31.0-1.el9ap.noarch.rpm
SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051
python3-rsa-4.7.2-1.el9ap.noarch.rpm
SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e
s390x
automation-eda-controller-1.0.1-1.el9ap.noarch.rpm
SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489
automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm
SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c
automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm
SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120
python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm
SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7
python3-cryptography-38.0.4-2.el9ap.s390x.rpm
SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac
python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm
SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160
python3-django-3.2.20-1.el9ap.noarch.rpm
SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864
python3-requests-2.31.0-1.el9ap.noarch.rpm
SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051
python3-rsa-4.7.2-1.el9ap.noarch.rpm
SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e
ppc64le
automation-eda-controller-1.0.1-1.el9ap.noarch.rpm
SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489
automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm
SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c
automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm
SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120
python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e
python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06
python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa
python3-django-3.2.20-1.el9ap.noarch.rpm
SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864
python3-requests-2.31.0-1.el9ap.noarch.rpm
SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051
python3-rsa-4.7.2-1.el9ap.noarch.rpm
SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e
aarch64
automation-eda-controller-1.0.1-1.el9ap.noarch.rpm
SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489
automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm
SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c
automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm
SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120
python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1
python3-cryptography-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98
python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm
SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8
python3-django-3.2.20-1.el9ap.noarch.rpm
SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864
python3-requests-2.31.0-1.el9ap.noarch.rpm
SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051
python3-rsa-4.7.2-1.el9ap.noarch.rpm
SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e
Red Hat Ansible Automation Platform 2.4 for RHEL 8
SRPM
automation-eda-controller-1.0.1-1.el8ap.src.rpm
SHA-256: 9d3605bd9c07f9818c97711f5c1356b075a7a4080132593810728408419e59cb
python3x-cryptography-38.0.4-2.el8ap.src.rpm
SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162
python3x-django-3.2.20-1.el8ap.src.rpm
SHA-256: 0d4c4c29d1f6c2d74f60f4d662ba4468a706d1ea77baf988c0ec49e4b9482dc7
python3x-requests-2.31.0-1.el8ap.src.rpm
SHA-256: e6d4ebbdad14647c1406f09a967413d4f4214b3b228cca2418db29677dbd741c
python3x-rsa-4.7.2-1.el8ap.src.rpm
SHA-256: a4c10b2f9d932b4a1acabff083e8d21cf46a35d0483e17e4c45eac2cac41eaf9
x86_64
automation-eda-controller-1.0.1-1.el8ap.noarch.rpm
SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d
automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm
SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90
automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm
SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f
python39-cryptography-38.0.4-2.el8ap.x86_64.rpm
SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a
python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e
python39-django-3.2.20-1.el8ap.noarch.rpm
SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194
python39-requests-2.31.0-1.el8ap.noarch.rpm
SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318
python39-rsa-4.7.2-1.el8ap.noarch.rpm
SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69
python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1
s390x
automation-eda-controller-1.0.1-1.el8ap.noarch.rpm
SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d
automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm
SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90
automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm
SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f
python39-cryptography-38.0.4-2.el8ap.s390x.rpm
SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800
python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm
SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939
python39-django-3.2.20-1.el8ap.noarch.rpm
SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194
python39-requests-2.31.0-1.el8ap.noarch.rpm
SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318
python39-rsa-4.7.2-1.el8ap.noarch.rpm
SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69
python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm
SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11
ppc64le
automation-eda-controller-1.0.1-1.el8ap.noarch.rpm
SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d
automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm
SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90
automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm
SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f
python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115
python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99
python39-django-3.2.20-1.el8ap.noarch.rpm
SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194
python39-requests-2.31.0-1.el8ap.noarch.rpm
SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318
python39-rsa-4.7.2-1.el8ap.noarch.rpm
SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69
python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787
aarch64
automation-eda-controller-1.0.1-1.el8ap.noarch.rpm
SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d
automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm
SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90
automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm
SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f
python39-cryptography-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63
python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1
python39-django-3.2.20-1.el8ap.noarch.rpm
SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194
python39-requests-2.31.0-1.el8ap.noarch.rpm
SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318
python39-rsa-4.7.2-1.el8ap.noarch.rpm
SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69
python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08
Red Hat Ansible Inside 1.2 for RHEL 9
SRPM
python-cryptography-38.0.4-2.el9ap.src.rpm
SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739
x86_64
python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm
SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9
python3-cryptography-38.0.4-2.el9ap.x86_64.rpm
SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443
python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm
SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97
s390x
python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm
SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7
python3-cryptography-38.0.4-2.el9ap.s390x.rpm
SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac
python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm
SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160
ppc64le
python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e
python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06
python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa
aarch64
python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1
python3-cryptography-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98
python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm
SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8
Red Hat Ansible Inside 1.2 for RHEL 8
SRPM
python3x-cryptography-38.0.4-2.el8ap.src.rpm
SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162
x86_64
python39-cryptography-38.0.4-2.el8ap.x86_64.rpm
SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a
python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e
python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1
s390x
python39-cryptography-38.0.4-2.el8ap.s390x.rpm
SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800
python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm
SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939
python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm
SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11
ppc64le
python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115
python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99
python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787
aarch64
python39-cryptography-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63
python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1
python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08
Red Hat Ansible Developer 1.1 for RHEL 9
SRPM
python-cryptography-38.0.4-2.el9ap.src.rpm
SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739
x86_64
python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm
SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9
python3-cryptography-38.0.4-2.el9ap.x86_64.rpm
SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443
python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm
SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97
s390x
python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm
SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7
python3-cryptography-38.0.4-2.el9ap.s390x.rpm
SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac
python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm
SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160
ppc64le
python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e
python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06
python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm
SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa
aarch64
python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1
python3-cryptography-38.0.4-2.el9ap.aarch64.rpm
SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98
python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm
SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8
Red Hat Ansible Developer 1.1 for RHEL 8
SRPM
python3x-cryptography-38.0.4-2.el8ap.src.rpm
SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162
x86_64
python39-cryptography-38.0.4-2.el8ap.x86_64.rpm
SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a
python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e
python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm
SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1
s390x
python39-cryptography-38.0.4-2.el8ap.s390x.rpm
SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800
python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm
SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939
python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm
SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11
ppc64le
python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115
python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99
python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm
SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787
aarch64
python39-cryptography-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63
python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1
python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm
SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.
Red Hat Security Advisory 2024-0212-03 - An update for python-django is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6539-1 - It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
Red Hat Security Advisory 2023-7341-01 - An update is now available for Red Hat Quay 3.
Red Hat Security Advisory 2023-7096-01 - An update for python-cryptography is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Gentoo Linux Security Advisory 202309-8 - A vulnerability has been discovered in Requests which could result in the disclosure of plaintext secrets. Versions greater than or equal to 2.31.0 are affected.
Red Hat Security Advisory 2023-4971-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output. * CVE-2...
Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4692-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include cross site request forgery, denial of service, and remote shell upload vulnerabilities.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service. * CVE-2023-36053: A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number o...
Red Hat Security Advisory 2023-4520-01 - The python-requests package contains a library designed to make HTTP requests easy for developers.
An update for python-requests is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This beh...
Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.
An update for python-requests is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This beh...
Ubuntu Security Notice 6203-2 - USN-6203-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 ESM. Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Ubuntu Security Notice 6203-1 - Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.
Ubuntu Security Notice 6155-1 - Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
### Impact Since Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`). **Current vulnerable behavior(s):** 1. HTTP → HTTPS: **leak** 2. HTTPS → HTTP: **no leak** 3. HTTPS → HTTPS: **leak** 4. HTTP → HTTP: **no leak** For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` head...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers: ```pycon >>> outbuf = b"\x00" * 32 >>> c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor() >>> c.update_into(b"\x00" * 16, outbuf) 16 >>> outbuf b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ``` This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.