diff -Nru python-cryptography-38.0.4/debian/changelog python-cryptography-38.0.4/debian/changelog
--- python-cryptography-38.0.4/debian/changelog	2023-12-04 19:48:36.000000000 +0000
+++ python-cryptography-38.0.4/debian/changelog	2024-02-27 10:36:15.000000000 +0000
@@ -1,3 +1,17 @@
+python-cryptography (38.0.4-4ubuntu0.23.10.2) mantic-security; urgency=medium
+
+  * SECURITY UPDATE: exposure of confidential data
+    - debian/patches/CVE-2023-50782.patch: update bindings in
+      src/_cffi_src/openssl/rsa.py to be compatible with new openssl version
+      3.0.10-1ubuntu2.3, which fixes the issue by changing PKCS#1 v1.5 RSA to 
+      return random output instead of an exception when detecting wrong padding
+    - CVE-2023-50782
+  * SECURITY UPDATE: null pointer dereference
+    - debian/patches/CVE-2024-26130.patch: null check before dereference
+    - CVE-2024-26130
+
+ -- Jorge Sancho Larraz <jorge.sancho.larraz@canonical.com>  Tue, 27 Feb 2024 11:36:15 +0100
+
 python-cryptography (38.0.4-4ubuntu0.23.10.1) mantic-security; urgency=medium
 
   * SECURITY UPDATE: DoS via PKCS7 certificate
diff -Nru python-cryptography-38.0.4/debian/patches/CVE-2023-50782.patch python-cryptography-38.0.4/debian/patches/CVE-2023-50782.patch
--- python-cryptography-38.0.4/debian/patches/CVE-2023-50782.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-38.0.4/debian/patches/CVE-2023-50782.patch	2024-02-27 10:36:15.000000000 +0000
@@ -0,0 +1,79 @@
+From 9c101390a199e3c8b2b969e3f27fd5a005543637 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 12 Dec 2022 19:26:06 -0500
+Subject: [PATCH] Attempt to work-around wycheproof tests
+
+---
+ src/_cffi_src/openssl/rsa.py        |  8 ++++++++
+ tests/hazmat/primitives/test_rsa.py |  5 +++--
+ tests/wycheproof/test_rsa.py        | 20 +++++++++++++++-----
+ 3 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
+index b1f6e4a4d645..3492d4588e11 100644
+--- a/src/_cffi_src/openssl/rsa.py
++++ b/src/_cffi_src/openssl/rsa.py
+@@ -16,6 +16,8 @@
+ static const int RSA_PKCS1_PSS_PADDING;
+ static const int RSA_F4;
+ static const int RSA_PSS_SALTLEN_AUTO;
++
++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION;
+ """
+ 
+ FUNCTIONS = """
+@@ -49,4 +51,10 @@
+ #if !defined(RSA_PSS_SALTLEN_AUTO)
+ #define RSA_PSS_SALTLEN_AUTO -2
+ #endif
++
++#if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION)
++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1;
++#else
++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 0;
++#endif
+ """
+diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
+index 5a9fa19f37b4..7a4b2f1e3234 100644
+--- a/tests/hazmat/primitives/test_rsa.py
++++ b/tests/hazmat/primitives/test_rsa.py
+@@ -1713,8 +1713,9 @@ def test_unsupported_padding(self, backend):
+             private_key.decrypt(b"0" * 256, DummyAsymmetricPadding())
+ 
+     @pytest.mark.supported(
+-        only_if=lambda backend: backend.rsa_padding_supported(
+-            padding.PKCS1v15()
++        only_if=lambda backend: (
++            backend.rsa_padding_supported(padding.PKCS1v15())
++            and not backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION
+         ),
+         skip_message="Does not support PKCS1v1.5.",
+     )
+diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py
+index 0670e1c47c00..e2b8426fd0f6 100644
+--- a/tests/wycheproof/test_rsa.py
++++ b/tests/wycheproof/test_rsa.py
+@@ -240,8 +240,18 @@ def test_rsa_pkcs1_encryption(backend, wycheproof):
+         )
+         assert pt == binascii.unhexlify(wycheproof.testcase["msg"])
+     else:
+-        with pytest.raises(ValueError):
+-            key.decrypt(
+-                binascii.unhexlify(wycheproof.testcase["ct"]),
+-                padding.PKCS1v15(),
+-            )
++        if backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
++            try:
++                assert key.decrypt(
++                    binascii.unhexlify(wycheproof.testcase["ct"]),
++                    padding.PKCS1v15(),
++                ) != binascii.unhexlify(wycheproof.testcase["ct"])
++            except ValueError:
++                # Some raise ValueError due to length mismatch.
++                pass
++        else:
++            with pytest.raises(ValueError):
++                key.decrypt(
++                    binascii.unhexlify(wycheproof.testcase["ct"]),
++                    padding.PKCS1v15(),
++                )
diff -Nru python-cryptography-38.0.4/debian/patches/CVE-2024-26130.patch python-cryptography-38.0.4/debian/patches/CVE-2024-26130.patch
--- python-cryptography-38.0.4/debian/patches/CVE-2024-26130.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-38.0.4/debian/patches/CVE-2024-26130.patch	2024-02-27 10:35:18.000000000 +0000
@@ -0,0 +1,60 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45888f36168a..6a4aeca7521f 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
+                     mac_iter,
+                     0,
+                 )
++                if p12 == self._ffi.NULL:
++                    errors = self._consume_errors()
++                    raise ValueError(
++                        (
++                            "Failed to create PKCS12 (does the key match the "
++                            "certificate?)"
++                        ),
++                        errors,
++                    )
+ 
+             if (
+                 self._lib.Cryptography_HAS_PKCS12_SET_MAC
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index f49c98a4ed3d..cb998c4a4bc0 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
++++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
+                 b"name", cakey, cacert, [], algorithm
+             )
+ 
++    @pytest.mark.supported(
++        only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
++        skip_message="Requires OpenSSL with PKCS12_set_mac",
++    )
++    def test_set_mac_key_certificate_mismatch(self, backend):
++        cacert, _ = _load_ca(backend)
++        key = ec.generate_private_key(ec.SECP256R1())
++        encryption = (
++            serialization.PrivateFormat.PKCS12.encryption_builder()
++            .hmac_hash(hashes.SHA256())
++            .build(b"password")
++        )
++
++        with pytest.raises(ValueError):
++            serialize_key_and_certificates(
++                b"name", key, cacert, [], encryption
++            )
++
+ 
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
diff -Nru python-cryptography-38.0.4/debian/patches/series python-cryptography-38.0.4/debian/patches/series
--- python-cryptography-38.0.4/debian/patches/series	2023-12-04 19:48:23.000000000 +0000
+++ python-cryptography-38.0.4/debian/patches/series	2024-02-27 10:36:15.000000000 +0000
@@ -9,3 +9,5 @@
 Upgrade-to-pyo3-0.19.patch
 0010-Replace-US-Pacific-with-America-Los_Angeles.patch
 CVE-2023-49083.patch
+CVE-2023-50782.patch
+CVE-2024-26130.patch