Arch Linux Security Advisory ASA-202102-36 ========================================== Severity: Medium Date : 2021-02-27 CVE-ID : CVE-2020-36242 Package : python-cryptography Type : incorrect calculation Remote : No Link : https://security.archlinux.org/AVG-1541 Summary ======= The package python-cryptography before version 3.4-1 is vulnerable to incorrect calculation. Resolution ========== Upgrade to 3.4-1. # pacman -Syu "python-cryptography>=3.4-1" The problem has been fixed upstream in version 3.4. Workaround ========== None. Description =========== In python-cryptography before version 3.3.2, certain sequences of update calls to symmetrically encrypt multiple gigabytes of data could result in an integer overflow, leading to mishandling of buffers. Impact ====== Unintentional use of the API could lead to buffer mishandling, causing application crashes or incorrectly encrypted data. References ========== https://github.com/pyca/cryptography/security/advisories/GHSA-rhm9-p9w5-fwm7 https://github.com/pyca/cryptography/issues/5615 https://github.com/pyca/cryptography/pull/5747 https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae https://security.archlinux.org/CVE-2020-36242