[Security] Bump cryptography from 41.0.5 to 41.0.6 (!123) · Merge requests · HIFIS Software Deployment / CheckMK-Role

HIFIS Bot requested to merge dependabot-pip-cryptography-41.0.6 into main Dec 12, 2023

Bumps cryptography from 41.0.5 to 41.0.6. This update includes a security fix.

Vulnerabilities fixed

cryptography vulnerable to NULL-dereference when loading PKCS7 certificates

Summary

Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault.

PoC

Here is a Python code that triggers the issue:
from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates
pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""
der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

... (truncated)

Patched versions: 41.0.6 Affected versions: >= 3.1, < 41.0.6

Changelog

Sourced from cryptography's changelog.

41.0.6 - 2023-11-27


* Fixed a null-pointer-dereference and segfault that could occur when loading
  certificates from a PKCS#7 bundle.  Credit to **pkuzco** for reporting the
  issue. **CVE-2023-49083**
.. _v41-0-5:

Commits

f09c261 41.0.6 release (#9927)
See full diff in compare view

[Security] Bump cryptography from 41.0.5 to 41.0.6

Summary

PoC

Merge request reports