It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-25658
• sybrenstuvel/python-rsa#165
• sybrenstuvel/python-rsa@dae8ce0
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25658
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SAF67KDGSOHLVFTRDOHNEAFDRSSYIWA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APF364QJ2IYLPDNVFBOEJ24QP2WLVLJP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QY4PJWTYSOV7ZEYZVMYIF6XRU73CY6O7/
• https://access.redhat.com/errata/RHSA-2020:5634
• https://access.redhat.com/errata/RHSA-2021:0637
• https://access.redhat.com/errata/RHSA-2022:1716
• https://access.redhat.com/security/cve/CVE-2020-25658
• https://bugzilla.redhat.com/show_bug.cgi?id=1889972
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SAF67KDGSOHLVFTRDOHNEAFDRSSYIWA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APF364QJ2IYLPDNVFBOEJ24QP2WLVLJP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QY4PJWTYSOV7ZEYZVMYIF6XRU73CY6O7/