Skip to content

3.3.2.2 — CVE-2026-26007 security backports#2

Open
martinPavesio wants to merge 8 commits into
3.3.2.xfrom
security/cve-2026-26007
Open

3.3.2.2 — CVE-2026-26007 security backports#2
martinPavesio wants to merge 8 commits into
3.3.2.xfrom
security/cve-2026-26007

Conversation

@martinPavesio
Copy link
Copy Markdown

@martinPavesio martinPavesio commented May 28, 2026

Security backports for Python 2.7. Tags: 3.3.2.1, 3.3.2.2. Ticket: CS-2178.

@icanhasmath icanhasmath changed the title 3.3.2.2 — CVE-2023-23931, CVE-2023-49083, CVE-2026-26007 security backports 3.3.2.2 — CVE-2026-26007 security backports May 28, 2026
@martinPavesio
Backport CVE-2026-26007: validate EC public key subgroup membership
eb3aa7c 
Add EC_KEY_check_key() to CFFI bindings and call it after all three EC
public key construction paths in the OpenSSL backend:
  - load_der_public_key / load_pem_public_key (after EVP_PKEY_get1_EC_KEY)
  - _ec_key_set_public_key_affine_coordinates (covers load_elliptic_curve_public_numbers)
  - load_elliptic_curve_public_bytes (EC_POINT_oct2point path)

Without this check an attacker could supply a small-order subgroup key to
leak private key bits via ECDH or forge ECDSA signatures.

GHSA-r6ph-v2qm-q3c2 / CVE-2026-26007. Upstream fix: cryptography 46.0.5.
@martinPavesio
Release 3.3.2+security.2
a898d8a 
Version string: 3.3.2+security.2 (PEP 440 local identifier)
Git tag: 3.3.2.2

CHANGELOG.rst updated with security release notes.
@martinPavesio martinPavesio force-pushed the security/cve-2026-26007 branch from e594984 to a898d8a Compare May 28, 2026 23:22
@martinPavesio
Security assessment: CVE-2023-0286 not applicable (system OpenSSL, no…
903f8cf 
…t bundled wheels)
@martinPavesio
Security assessment: CVE-2023-50782 cannot fix at CFFI layer (require…
5e01d31 
…s OpenSSL 3.2+ constant-time RSA)
@martinPavesio
Security assessment: CVE-2024-0727 not applicable (OpenSSL 3.x only, …
87816d3 
…we use 1.x)
@martinPavesio
Security assessment: CVE-2026-34073 not applicable (x509.verification…
566a979 
… API not in 3.3.2)
@martinPavesio
Security assessment: GHSA-5cpq/jm77/v8gr not applicable (OpenSSL bund…
31ef0b8 
…led-wheel CVEs, we use system 1.x)
@martinPavesio
Release 3.3.2+security.3
b67c077 
Version string: 3.3.2+security.3 (PEP 440 local identifier)
Git tag: 3.3.2.3

Security assessment entries for 7 CVEs — all not applicable or not fixable
at the CFFI layer for this Python 2.7 / system OpenSSL build.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martinPavesio