Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4380

A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.

CVE
#vulnerability#red_hat#dos#git#kubernetes#perl#auth#sap

Issued:

2023-08-21

Updated:

2023-08-29

RHSA-2023:4693 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Ansible Automation Platform 2.4

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

  • automation-eda-controller: token exposed at importing project (CVE-2023-4380)
  • python3-cryptography/python39-cryptography: memory corruption via immutable objects (CVE-2023-23931)
  • python3-django/python39-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
  • python3-requests/python39-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional changes for Event-Driven Ansible:

  • automation-eda-controller has been updated to 1.0.1
  • Contributor and editor roles now have permissions to access users and set the AWX token. (AAP-11573)
  • The onboarding wizard now requests controller token creation. (AAP-11907)
  • Corrected the filtering capability of the Rule Audit screens so that a search yields results with the “starts with” function. (AAP-11987)
  • Enabling or disabling rulebook activation no longer increases the restarts counter by 1. (AAP-12042)
  • Filtering by a text string now displays all applicable items in the UI, including those that are not visible in the list at that time. (AAP-12446)
  • Audit records are no longer missing when running activations with multiple jobs. (AAP-12522)
  • The event payload is no longer missing key attributes when a job template fails. (AAP-12529)
  • Fixed the Git token leak that occurs when importing a project fails. (AAP-12767)
  • The restart policy in Kubernetes (k8s) now restarts successful activation that is incorrectly marked as failed. (AAP-12862)
  • Activation statuses are now reported correctly, whether you are disabling or enabling them. (AAP-12896)
  • When run_job_template action fails now, ansible-rulebook prints an error log in the activation output and creates an entry in rule audit so that the user is alerted that the rule has failed. (AAP-12909)
  • When a user tries to bulk delete rulebook activations from the list, the request now completes successfully and consistently. (AAP-13093)
  • The Rulebook Activation link now functions correctly in the Rule Audit Detail UI. (AAP-13182)
  • Fixed a bug where ansible-rulebook prevented the execution, if the connection with the controller was not successful when controller was not required by the rulebook. (AAP-13209)
  • Fixed a bug where some audit rule records had the wrong rulebook link. (AAP-13844)
  • Fixed a bug where only the first 10 audit rules had the right link. (AAP-13845)
  • Previously project credentials could not be updated if there was a change to the credential used in the project. Now credentials can be updated in a project with a new or different credential. (AAP-13983)
  • The User Access section of the navigation panel no longer disappears after creating a decision environment. (AAP-14273)
  • Fixed a bug where filtering for audit rules didn’t work properly on OpenShift Container Platform. (AAP-14512)

Solution

Red Hat Ansible Automation Platform

Affected Products

  • Red Hat Ansible Automation Platform 2.4 for RHEL 9 x86_64
  • Red Hat Ansible Automation Platform 2.4 for RHEL 9 s390x
  • Red Hat Ansible Automation Platform 2.4 for RHEL 9 ppc64le
  • Red Hat Ansible Automation Platform 2.4 for RHEL 9 aarch64
  • Red Hat Ansible Automation Platform 2.4 for RHEL 8 x86_64
  • Red Hat Ansible Automation Platform 2.4 for RHEL 8 s390x
  • Red Hat Ansible Automation Platform 2.4 for RHEL 8 ppc64le
  • Red Hat Ansible Automation Platform 2.4 for RHEL 8 aarch64
  • Red Hat Ansible Inside 1.2 for RHEL 9 x86_64
  • Red Hat Ansible Inside 1.2 for RHEL 9 s390x
  • Red Hat Ansible Inside 1.2 for RHEL 9 ppc64le
  • Red Hat Ansible Inside 1.2 for RHEL 9 aarch64
  • Red Hat Ansible Inside 1.2 for RHEL 8 x86_64
  • Red Hat Ansible Inside 1.2 for RHEL 8 s390x
  • Red Hat Ansible Inside 1.2 for RHEL 8 ppc64le
  • Red Hat Ansible Inside 1.2 for RHEL 8 aarch64
  • Red Hat Ansible Developer 1.1 for RHEL 9 x86_64
  • Red Hat Ansible Developer 1.1 for RHEL 9 s390x
  • Red Hat Ansible Developer 1.1 for RHEL 9 ppc64le
  • Red Hat Ansible Developer 1.1 for RHEL 9 aarch64
  • Red Hat Ansible Developer 1.1 for RHEL 8 x86_64
  • Red Hat Ansible Developer 1.1 for RHEL 8 s390x
  • Red Hat Ansible Developer 1.1 for RHEL 8 ppc64le
  • Red Hat Ansible Developer 1.1 for RHEL 8 aarch64

Fixes

  • BZ - 2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects
  • BZ - 2209469 - CVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization header
  • BZ - 2218004 - CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
  • BZ - 2232324 - CVE-2023-4380 Ansible: token exposed at importing project

CVEs

  • CVE-2023-4380
  • CVE-2023-23931
  • CVE-2023-32681
  • CVE-2023-36053

Red Hat Ansible Automation Platform 2.4 for RHEL 9

SRPM

automation-eda-controller-1.0.1-1.el9ap.src.rpm

SHA-256: 46b2772bdb44d06eb979a9b64831dc02cd3095ec95ba038994465a25b92e9c41

python-cryptography-38.0.4-2.el9ap.src.rpm

SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739

python-django-3.2.20-1.el9ap.src.rpm

SHA-256: 739890cbf5c8d04f262cb48266b80c0bdb5ad625481f1e22f4a6b635f08b5b42

python-requests-2.31.0-1.el9ap.src.rpm

SHA-256: cad6bbc37323d0aa6d79c625179790f4432c4a4c2c4a84fe6a4f79e3dda170c3

python-rsa-4.7.2-1.el9ap.src.rpm

SHA-256: c53a3ac4dcee14be24fc95c62960ee095951c40aea2c21a2f5f817594acb2539

x86_64

automation-eda-controller-1.0.1-1.el9ap.noarch.rpm

SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489

automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm

SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c

automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm

SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120

python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm

SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9

python3-cryptography-38.0.4-2.el9ap.x86_64.rpm

SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443

python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm

SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97

python3-django-3.2.20-1.el9ap.noarch.rpm

SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864

python3-requests-2.31.0-1.el9ap.noarch.rpm

SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051

python3-rsa-4.7.2-1.el9ap.noarch.rpm

SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e

s390x

automation-eda-controller-1.0.1-1.el9ap.noarch.rpm

SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489

automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm

SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c

automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm

SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120

python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm

SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7

python3-cryptography-38.0.4-2.el9ap.s390x.rpm

SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac

python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm

SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160

python3-django-3.2.20-1.el9ap.noarch.rpm

SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864

python3-requests-2.31.0-1.el9ap.noarch.rpm

SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051

python3-rsa-4.7.2-1.el9ap.noarch.rpm

SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e

ppc64le

automation-eda-controller-1.0.1-1.el9ap.noarch.rpm

SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489

automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm

SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c

automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm

SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120

python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e

python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06

python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa

python3-django-3.2.20-1.el9ap.noarch.rpm

SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864

python3-requests-2.31.0-1.el9ap.noarch.rpm

SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051

python3-rsa-4.7.2-1.el9ap.noarch.rpm

SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e

aarch64

automation-eda-controller-1.0.1-1.el9ap.noarch.rpm

SHA-256: 8d4cfedfa8a3d4482618450c294d0fc7e8c8bdf658924c89fbe0ee316f0b2489

automation-eda-controller-server-1.0.1-1.el9ap.noarch.rpm

SHA-256: 0280af70b9e6fde6fd21294605abbec312190e10867c9a1f331b47230b52d92c

automation-eda-controller-ui-1.0.1-1.el9ap.noarch.rpm

SHA-256: 569b12938f40947dc2beebd77fc366b91fcb276700878b03ed603b44575b4120

python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1

python3-cryptography-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98

python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm

SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8

python3-django-3.2.20-1.el9ap.noarch.rpm

SHA-256: af9921f8ed09fb578ad0b6697a8eaed5347391109fe1565a439864e4e64f2864

python3-requests-2.31.0-1.el9ap.noarch.rpm

SHA-256: 0b53efc024204a161f8872a235cc88cb85a808378cc237506ec780995779f051

python3-rsa-4.7.2-1.el9ap.noarch.rpm

SHA-256: a6b470751c3e5a62639ad5ea449929784d18a82a77137385450c4c80827d0e9e

Red Hat Ansible Automation Platform 2.4 for RHEL 8

SRPM

automation-eda-controller-1.0.1-1.el8ap.src.rpm

SHA-256: 9d3605bd9c07f9818c97711f5c1356b075a7a4080132593810728408419e59cb

python3x-cryptography-38.0.4-2.el8ap.src.rpm

SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162

python3x-django-3.2.20-1.el8ap.src.rpm

SHA-256: 0d4c4c29d1f6c2d74f60f4d662ba4468a706d1ea77baf988c0ec49e4b9482dc7

python3x-requests-2.31.0-1.el8ap.src.rpm

SHA-256: e6d4ebbdad14647c1406f09a967413d4f4214b3b228cca2418db29677dbd741c

python3x-rsa-4.7.2-1.el8ap.src.rpm

SHA-256: a4c10b2f9d932b4a1acabff083e8d21cf46a35d0483e17e4c45eac2cac41eaf9

x86_64

automation-eda-controller-1.0.1-1.el8ap.noarch.rpm

SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d

automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm

SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90

automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm

SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f

python39-cryptography-38.0.4-2.el8ap.x86_64.rpm

SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a

python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e

python39-django-3.2.20-1.el8ap.noarch.rpm

SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194

python39-requests-2.31.0-1.el8ap.noarch.rpm

SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318

python39-rsa-4.7.2-1.el8ap.noarch.rpm

SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69

python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1

s390x

automation-eda-controller-1.0.1-1.el8ap.noarch.rpm

SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d

automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm

SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90

automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm

SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f

python39-cryptography-38.0.4-2.el8ap.s390x.rpm

SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800

python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm

SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939

python39-django-3.2.20-1.el8ap.noarch.rpm

SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194

python39-requests-2.31.0-1.el8ap.noarch.rpm

SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318

python39-rsa-4.7.2-1.el8ap.noarch.rpm

SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69

python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm

SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11

ppc64le

automation-eda-controller-1.0.1-1.el8ap.noarch.rpm

SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d

automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm

SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90

automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm

SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f

python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115

python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99

python39-django-3.2.20-1.el8ap.noarch.rpm

SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194

python39-requests-2.31.0-1.el8ap.noarch.rpm

SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318

python39-rsa-4.7.2-1.el8ap.noarch.rpm

SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69

python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787

aarch64

automation-eda-controller-1.0.1-1.el8ap.noarch.rpm

SHA-256: 7c4618eb289a037026095f090a5010fdb1dbe94cd19cc23ab32b21b1934d700d

automation-eda-controller-server-1.0.1-1.el8ap.noarch.rpm

SHA-256: fd9f675064007e454da0e4e8b78cad8e152571d4db8a570f1761b3be9d888d90

automation-eda-controller-ui-1.0.1-1.el8ap.noarch.rpm

SHA-256: ce42cac99cc5b83af8a2eca892e1413dc68824e9c9f7dc3d40930ab1eb2eec5f

python39-cryptography-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63

python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1

python39-django-3.2.20-1.el8ap.noarch.rpm

SHA-256: 5da7f6eb85f923cc2a3e76910a71db1dc34d98ef3eb9d2319c138f0c57291194

python39-requests-2.31.0-1.el8ap.noarch.rpm

SHA-256: 7cde7552478171bc27acf1ed02ef1a3ed1e3ad7fd99954a4eae3b1b9a4255318

python39-rsa-4.7.2-1.el8ap.noarch.rpm

SHA-256: 9e49fccc0bc2999f723a2b13cf649cb08335b5254ff61c0ce87050f92820cb69

python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08

Red Hat Ansible Inside 1.2 for RHEL 9

SRPM

python-cryptography-38.0.4-2.el9ap.src.rpm

SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739

x86_64

python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm

SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9

python3-cryptography-38.0.4-2.el9ap.x86_64.rpm

SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443

python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm

SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97

s390x

python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm

SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7

python3-cryptography-38.0.4-2.el9ap.s390x.rpm

SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac

python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm

SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160

ppc64le

python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e

python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06

python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa

aarch64

python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1

python3-cryptography-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98

python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm

SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8

Red Hat Ansible Inside 1.2 for RHEL 8

SRPM

python3x-cryptography-38.0.4-2.el8ap.src.rpm

SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162

x86_64

python39-cryptography-38.0.4-2.el8ap.x86_64.rpm

SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a

python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e

python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1

s390x

python39-cryptography-38.0.4-2.el8ap.s390x.rpm

SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800

python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm

SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939

python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm

SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11

ppc64le

python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115

python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99

python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787

aarch64

python39-cryptography-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63

python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1

python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08

Red Hat Ansible Developer 1.1 for RHEL 9

SRPM

python-cryptography-38.0.4-2.el9ap.src.rpm

SHA-256: 7c89932810761a5e9739b057d97d6fdcc7b9e3476140700551d8200a0fbdd739

x86_64

python-cryptography-debugsource-38.0.4-2.el9ap.x86_64.rpm

SHA-256: 813abd8de5cabb06f043542debbce65c42115e739ee8cf3274ce7b2b6da2b8c9

python3-cryptography-38.0.4-2.el9ap.x86_64.rpm

SHA-256: be34e3c89fbc3d97479670244533c91f2327db72dbf6a3539dbb930bcd372443

python3-cryptography-debuginfo-38.0.4-2.el9ap.x86_64.rpm

SHA-256: f6d53814b71b01f1520e55489c594eaa77f092dd95a0d9c29f6c0e1e85896d97

s390x

python-cryptography-debugsource-38.0.4-2.el9ap.s390x.rpm

SHA-256: 3ed99ba6f0c7a2f02d352f053cda762b1e41c117c52082e0df047c039449f3f7

python3-cryptography-38.0.4-2.el9ap.s390x.rpm

SHA-256: 7d53b0f4fa39a6c2b0ef8cd78bf812a38d0e3f4be715af9974f095d90637afac

python3-cryptography-debuginfo-38.0.4-2.el9ap.s390x.rpm

SHA-256: 9b99973a1e0b93ad3c33d8b571093aaa38b775f891dd1c3e2148fcf13b792160

ppc64le

python-cryptography-debugsource-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 91d60e114edca2a22b9cdb39ed918f4e02b4fec9c509f08c2e2592515c95552e

python3-cryptography-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 8b2dd172fadce43d714b25fdf210ceeecf92940164ecc09b6979e95f6ab41b06

python3-cryptography-debuginfo-38.0.4-2.el9ap.ppc64le.rpm

SHA-256: 85c41c90ef33495a5dc956efa425bfa80ba74d2a275e28d5f0046a0edfee8aaa

aarch64

python-cryptography-debugsource-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 079527a429abcb0b3fe7627ba21198b6c944ce7e4adbac68b3b3544fde0167b1

python3-cryptography-38.0.4-2.el9ap.aarch64.rpm

SHA-256: 6e80fd311a4837904d2fc5e809da2858a047880e251ff00b3d567713535fbc98

python3-cryptography-debuginfo-38.0.4-2.el9ap.aarch64.rpm

SHA-256: e62a9e99340ab0e8ec209e0bf5fd6fe49e86b46c1f7aa51790710d2c1777ede8

Red Hat Ansible Developer 1.1 for RHEL 8

SRPM

python3x-cryptography-38.0.4-2.el8ap.src.rpm

SHA-256: 12745a5547af1c85562b184f95851ebd9d84611ed4b6fd0298e5500da6207162

x86_64

python39-cryptography-38.0.4-2.el8ap.x86_64.rpm

SHA-256: d8bb1a2e35aa4f65f9f875a47f01517d0210d05f26ead017ee35cdcac5cfdb7a

python39-cryptography-debuginfo-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 549d1e3dabf6e526c32951b4cf74e5e8315648c35170fbac7c82d2c609fa7a7e

python3x-cryptography-debugsource-38.0.4-2.el8ap.x86_64.rpm

SHA-256: 718d1e391137d7e92a9f45495f5afa3300b12f8a80d946635b139c985c64c2d1

s390x

python39-cryptography-38.0.4-2.el8ap.s390x.rpm

SHA-256: 51806f4eaeedd4a030e90ccd5718cfa1b56a13f84bfdf78205f61de8ccbec800

python39-cryptography-debuginfo-38.0.4-2.el8ap.s390x.rpm

SHA-256: b4381e9881094669c3551827cec4121a74aae25d259da4132b220524912f7939

python3x-cryptography-debugsource-38.0.4-2.el8ap.s390x.rpm

SHA-256: 6b2f6fb34c4901f280c4369cb2c7b845ec6be2551566b625fa83ee51f04ecb11

ppc64le

python39-cryptography-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: 8987427e0190ff5015904475cecc8b1e8166a2abf4c2045bd88862bac0249115

python39-cryptography-debuginfo-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: a92970ed762bd9d8d1b7acea715a0de95968f316527e34b9c9779c916eadaf99

python3x-cryptography-debugsource-38.0.4-2.el8ap.ppc64le.rpm

SHA-256: d7975006f4ef3990fc05abffcf9d063e3b8653cd66766bbbc24d0b1b69cad787

aarch64

python39-cryptography-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 00b89a160bf9f27070e15b4621c4d8a7709a516e02fcc708e19a6c60adf74f63

python39-cryptography-debuginfo-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 0d97615aecfcc51b1cd50f8fc72f455c8c84370eefd4e0cc034322b4c61478c1

python3x-cryptography-debugsource-38.0.4-2.el8ap.aarch64.rpm

SHA-256: 4dab9d70be00cad67ab24a2c6a948655e247c594cf09e69c45977571b4706d08

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202407-06

Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.

Red Hat Security Advisory 2024-0212-03

Red Hat Security Advisory 2024-0212-03 - An update for python-django is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-6539-1

Ubuntu Security Notice 6539-1 - It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.

Red Hat Security Advisory 2023-7341-01

Red Hat Security Advisory 2023-7341-01 - An update is now available for Red Hat Quay 3.

Red Hat Security Advisory 2023-7096-01

Red Hat Security Advisory 2023-7096-01 - An update for python-cryptography is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Gentoo Linux Security Advisory 202309-08

Gentoo Linux Security Advisory 202309-8 - A vulnerability has been discovered in Requests which could result in the disclosure of plaintext secrets. Versions greater than or equal to 2.31.0 are affected.

Red Hat Security Advisory 2023-4971-01

Red Hat Security Advisory 2023-4971-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

RHSA-2023:4971: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output. * CVE-2...

Red Hat Security Advisory 2023-4693-01

Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4693-01

Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4693-01

Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4693-01

Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4692-01

Red Hat Security Advisory 2023-4692-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include cross site request forgery, denial of service, and remote shell upload vulnerabilities.

RHSA-2023:4693: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...

RHSA-2023:4693: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...

RHSA-2023:4693: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...

RHSA-2023:4693: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...

RHSA-2023:4692: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service. * CVE-2023-36053: A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number o...

Red Hat Security Advisory 2023-4520-01

Red Hat Security Advisory 2023-4520-01 - The python-requests package contains a library designed to make HTTP requests easy for developers.

RHSA-2023:4520: Red Hat Security Advisory: python-requests security update

An update for python-requests is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This beh...

Debian Security Advisory 5465-1

Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.

RHSA-2023:4350: Red Hat Security Advisory: python-requests security update

An update for python-requests is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This beh...

Ubuntu Security Notice USN-6203-2

Ubuntu Security Notice 6203-2 - USN-6203-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 ESM. Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

Ubuntu Security Notice USN-6203-1

Ubuntu Security Notice 6203-1 - Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

GHSA-jh3w-4vvf-mjgr: Django has regular expression denial of service vulnerability in EmailValidator/URLValidator

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CVE-2023-36053: Django security releases issued: 4.2.3, 4.1.10, and 3.2.20

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

Ubuntu Security Notice USN-6155-2

Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

Ubuntu Security Notice USN-6155-1

Ubuntu Security Notice 6155-1 - Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.

CVE-2023-32681: Unintended leak of Proxy-Authorization header

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

GHSA-j8r2-6x86-q33q: Unintended leak of Proxy-Authorization header in requests

### Impact Since Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`). **Current vulnerable behavior(s):** 1. HTTP → HTTPS: **leak** 2. HTTPS → HTTP: **no leak** 3. HTTPS → HTTPS: **leak** 4. HTTP → HTTP: **no leak** For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` head...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

CVE-2023-23931: Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

GHSA-w7pp-m8wf-vj6r: Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf

Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers: ```pycon >>> outbuf = b"\x00" * 32 >>> c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor() >>> c.update_into(b"\x00" * 16, outbuf) 16 >>> outbuf b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ``` This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907