AIX Open Source

 View Only
Expand all | Collapse all

Current cryptography version is affected by CVE-2023-49083

  • 1.  Current cryptography version is affected by CVE-2023-49083

    Posted Tue February 06, 2024 06:19 PM
    Edited by LUIS ABDEL AGUILAR JURADO Tue February 06, 2024 06:23 PM

    Hi Team,

    Is the cryptography-3.4.7-4 being affected by the CVE-2023-49083? Is the fix of this vulnerability in the scope? Is there an ETA?

    Security issue description PocC: NULL-dereference when loading PKCS7 certificates

    Regards



    ------------------------------
    LUIS ABDEL AGUILAR JURADO
    ------------------------------



  • 2.  RE: Current cryptography version is affected by CVE-2023-49083

    Posted Wed February 07, 2024 04:07 AM

    Hi Luis,

    cryptography-3.4.7 version is not affected by the CVE-2023-49083. This CVE is affecting the recent releases. We are not moving to the recent releases because of rust requirement.



    ------------------------------
    Harshith K A
    ------------------------------

    Original Message


  • 3.  RE: Current cryptography version is affected by CVE-2023-49083

    Posted Tue February 20, 2024 07:54 AM

    Hi Luis,

    After more analysis we found that this CVE-2023-49083 is actually affecting cryptography-3.4.7 version. We are working on backporting the fix and will upload it to AIX toolbox soon.



    ------------------------------
    Harshith K A
    ------------------------------

    Original Message