First published: Wed Feb 21 2024(Updated: )
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/cryptography | >=38.0.0<42.0.4 | 42.0.4 |
redhat/cryptography | <42.0.4 | 42.0.4 |
IBM Concert Software | <=1.0.0 - 1.0.1 | |
debian/python-cryptography | <=38.0.4-3~deb12u1 | 3.3.2-1 3.3.2-1+deb11u1 38.0.4-3+deb12u1 43.0.0-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.