Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency cryptography to v41.0.6 [security] #1061

Merged
merged 1 commit into from
Jan 4, 2024
Merged

chore(deps): update dependency cryptography to v41.0.6 [security] #1061

merged 1 commit into from
Jan 4, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 29, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cryptography (changelog) ==41.0.5 -> ==41.0.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49083

Summary

Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault.

PoC

Here is a Python code that triggers the issue:

from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates

pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""

der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

Impact

Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.

Release Notes

pyca/cryptography (cryptography)

v41.0.6

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch 3 times, most recently from ccb599f to bb5203d Compare December 5, 2023 19:01
@renovate renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch 8 times, most recently from 272be01 to 81b4b9c Compare December 13, 2023 23:31
@renovate renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from c4d1cc1 to 24a2f83 Compare December 19, 2023 20:01
@renovate renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch 3 times, most recently from 762ad20 to 838cef1 Compare January 3, 2024 00:34
@renovate renovate bot force-pushed the renovate/pypi-cryptography-vulnerability branch from 838cef1 to 47a8e56 Compare January 3, 2024 20:14
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jan 3, 2024

Quality Gate Passed Quality Gate passed for 'nr-forests-access-management_admin'

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@MCatherine1994 MCatherine1994 merged commit d22c289 into main Jan 4, 2024
10 checks passed
@MCatherine1994 MCatherine1994 deleted the renovate/pypi-cryptography-vulnerability branch January 4, 2024 19:47
@github-actions github-actions bot mentioned this pull request Jan 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MCatherine1994 MCatherine1994 MCatherine1994 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MCatherine1994