diff -Nru python-cryptography-2.8/debian/changelog python-cryptography-2.8/debian/changelog
--- python-cryptography-2.8/debian/changelog	2020-10-28 16:10:56.000000000 +0000
+++ python-cryptography-2.8/debian/changelog	2023-12-04 20:04:00.000000000 +0000
@@ -1,3 +1,13 @@
+python-cryptography (2.8-3ubuntu0.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: corrupted output via immutable objects
+    - debian/patches/CVE-2023-23931.patch: don't allow update_into to
+      mutate immutable objects in tests/hazmat/primitives/test_ciphers.py,
+      src/cryptography/hazmat/backends/openssl/ciphers.py.
+    - CVE-2023-23931
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 04 Dec 2023 15:04:00 -0500
+
 python-cryptography (2.8-3ubuntu0.1) focal-security; urgency=medium
 
   * SECURITY UPDATE: Bleichenbacher timing oracle attack
diff -Nru python-cryptography-2.8/debian/patches/CVE-2023-23931.patch python-cryptography-2.8/debian/patches/CVE-2023-23931.patch
--- python-cryptography-2.8/debian/patches/CVE-2023-23931.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-2.8/debian/patches/CVE-2023-23931.patch	2023-12-04 20:03:48.000000000 +0000
@@ -0,0 +1,43 @@
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 7 Feb 2023 11:34:18 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
+
+[Backported by Chris Lamb 2023-02-21.]
+
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 94b48f5..be80aff 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -132,7 +132,7 @@ class _CipherContext(object):
+             )
+ 
+         buf = self._backend._ffi.cast(
+-            "unsigned char *", self._backend._ffi.from_buffer(buf)
++            "unsigned char *", self._backend._ffi.from_buffer(buf, require_writable=True)
+         )
+         outlen = self._backend._ffi.new("int *")
+         res = self._backend._lib.EVP_CipherUpdate(
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index f29ba9a..4534de4 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
++++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -296,6 +296,14 @@ class TestCipherUpdateInto(object):
+         with pytest.raises(ValueError):
+             encryptor.update_into(b"testing", buf)
+ 
++    def test_update_into_immutable(self, backend):
++        key = b"\x00" * 16
++        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++        encryptor = c.encryptor()
++        buf = b"\x00" * 32
++        with pytest.raises((TypeError, BufferError)):
++            encryptor.update_into(b"testing", buf)
++
+     @pytest.mark.supported(
+         only_if=lambda backend: backend.cipher_supported(
+             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
diff -Nru python-cryptography-2.8/debian/patches/series python-cryptography-2.8/debian/patches/series
--- python-cryptography-2.8/debian/patches/series	2020-10-28 16:10:44.000000000 +0000
+++ python-cryptography-2.8/debian/patches/series	2023-12-04 20:03:48.000000000 +0000
@@ -1 +1,2 @@
 CVE-2020-25659.patch
+CVE-2023-23931.patch