Hi team,

In a security scan I got the following vulnerability "CVE-2023-23931", the affected package is "cryptography".

Looking into the change log (https://cryptography.io/en/latest/changelog/#v39-0-1), found that the vulnerability was fixed in the following version:

39.0.1 - 2023-02-07

• SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

Looking into the available package of "cryptography" in the Aix Tool box (AIX Toolbox for Open Source Software : Downloads alpha

)

The latest version is the following:

Is there a plan to deliver a new version of "cryptography" to fix the vulnerability?

Hi Luis,

The CVE-2023-23931 is backported to the  version python3.9-cryptography-3.4.7-4 

You can refer the spec file from the toolbox link below.

public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/python3.9-cryptography-3.4.7-4.spec

Hi team,

In a security scan I got the following vulnerability "CVE-2023-23931", the affected package is "cryptography".

Looking into the change log (https://cryptography.io/en/latest/changelog/#v39-0-1), found that the vulnerability was fixed in the following version:

39.0.1 - 2023-02-07

• SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

Looking into the available package of "cryptography" in the Aix Tool box (AIX Toolbox for Open Source Software : Downloads alpha

)

The latest version is the following:

Is there a plan to deliver a new version of "cryptography" to fix the vulnerability?

Thanks for the clarification

There is also another vulnerability reported: CVE-2023-38325 [https://www.cve.org/CVERecord?id=CVE-2023-38325]

I was not able to find that vulnerability in the current cryptography package.

Is there a plan to deliver a new version of "cryptography" to fix the vulnerability?

Hi Luis,

The CVE-2023-23931 is backported to the  version python3.9-cryptography-3.4.7-4 

You can refer the spec file from the toolbox link below.

public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/python3.9-cryptography-3.4.7-4.spec

Hi team,

In a security scan I got the following vulnerability "CVE-2023-23931", the affected package is "cryptography".

Looking into the change log (https://cryptography.io/en/latest/changelog/#v39-0-1), found that the vulnerability was fixed in the following version:

39.0.1 - 2023-02-07

• SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931

• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

Looking into the available package of "cryptography" in the Aix Tool box (AIX Toolbox for Open Source Software : Downloads alpha

)

The latest version is the following:

Is there a plan to deliver a new version of "cryptography" to fix the vulnerability?