[Python-modules-team] Bug#962142: python-rsa: CVE-2020-13757

Salvatore Bonaccorso carnil at debian.org
Wed Jun 3 20:26:47 BST 2020


Source: python-rsa
Version: 4.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/sybrenstuvel/python-rsa/issues/146
Control: found -1 4.0-2

Hi,

The following vulnerability was published for python-rsa.

CVE-2020-13757[0]:
| Python-RSA 4.0 ignores leading '\0' bytes during decryption of
| ciphertext. This could conceivably have a security-relevant impact,
| e.g., by helping an attacker to infer that an application uses Python-
| RSA, or if the length of accepted ciphertext affects application
| behavior (such as by causing excessive memory allocation).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-13757
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757
[1] https://github.com/sybrenstuvel/python-rsa/issues/146

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Python-modules-team mailing list