CVE-2024-26130

Publication date 21 February 2024

Last updated 24 July 2024


Ubuntu priority

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

Status

Package Ubuntu Release Status
python-cryptography 24.04 LTS noble
Fixed 41.0.7-4ubuntu0.1
23.10 mantic
Fixed 38.0.4-4ubuntu0.23.10.2
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
python-cryptography

References

Related Ubuntu Security Notices (USN)

    • USN-6673-1
    • python-cryptography vulnerabilities
    • 4 March 2024
    • USN-6673-3
    • python-cryptography vulnerability
    • 27 May 2024

Other references