https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA11245 advisory.

  - python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via     timed processing of valid PKCS#1 v1.5 ciphertext. (CVE-2020-25659)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3254 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619)

  - python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)

  - python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

  - python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary     code (CVE-2021-20095)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-1608 advisory.

  - python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via     timed processing of valid PKCS#1 v1.5 ciphertext. (CVE-2020-25659)

  - In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically     encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the     Fernet class. (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:1608 advisory.

  - python-cryptography: bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python-cryptography: certain sequences of update() calls when symmetrically encrypting very large payloads     could result in an integer overflow and lead to buffer overflows (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:1608 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for python-cryptography fixes the following issues :

CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python-cryptography fixes the following issues :

  - CVE-2020-25659: Attempted to mitigate Bleichenbacher     attacks on RSA decryption (bsc#1178168). This update was     imported from the SUSE:SLE-15-SP2:Update update project.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a vulnerability as referenced in the USN-4613-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154108	Juniper Junos OS Vulnerability (JSA11245)	Nessus	Junos Local Security Checks	medium
152781	RHEL 7 : rh-python38 (RHSA-2021:3254)	Nessus	Red Hat Local Security Checks	critical
149969	Oracle Linux 8 : python-cryptography (ELSA-2021-1608)	Nessus	Oracle Linux Local Security Checks	critical
149778	CentOS 8 : python-cryptography (CESA-2021:1608)	Nessus	CentOS Local Security Checks	critical
149686	RHEL 8 : python-cryptography (RHSA-2021:1608)	Nessus	Red Hat Local Security Checks	critical
143836	SUSE SLES12 Security Update : python-cryptography (SUSE-SU-2020:3629-1)	Nessus	SuSE Local Security Checks	medium
143680	SUSE SLED15 / SLES15 Security Update : python-cryptography (SUSE-SU-2020:3592-1)	Nessus	SuSE Local Security Checks	medium
143511	openSUSE Security Update : python-cryptography (openSUSE-2020-2173)	Nessus	SuSE Local Security Checks	medium
142368	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : python-cryptography vulnerability (USN-4613-1)	Nessus	Ubuntu Local Security Checks	medium

CVE-2020-25659

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

critical

critical

critical

critical

medium

medium

medium

medium