🟡 Medium   ⏱ 10–30 min  Last verified: 25 May 2026
Affected versions: Arch Linux (rolling release)

📖 ~4 min read  •  Source: Arch ASA ASA-202102-36

Related CVEs: CVE-2020-36242

Upstream summary: Type: incorrect calculation. Status: Fixed. Affected: 3.3.1-1. Fixed in: 3.4-1. Group: AVG-1541.

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Arch Linux hosts that have python-cryptography installed, operators report behaviour consistent with Arch ASA ASA-202102-36: pacman flags the package as out of date, affected services fail to restart cleanly under systemctl, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever python-cryptography sits on the serving path.

Environment & Reproduction

Reproduction targets Arch Linux. Because Arch is a rolling release, the fix may already be staged in the official repos — always run sudo pacman -Syu first before declaring the host vulnerable. Confirm release and the installed package:

cat /etc/arch-release
cat /etc/os-release
pacman -Qi python-cryptography
pacman -Si python-cryptography                          # repo (latest) version
pactree python-cryptography | head -40                  # reverse/forward deps

Trigger the workflow that exposes python-cryptography — vulnerability — patch and remediation guide while collecting:

sudo journalctl -u python-cryptography -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/pacman.log
# Optional evidence bundle for support:
sudo journalctl --since today --no-pager > /tmp/journal.txt

Root Cause Analysis

Root cause is documented in Arch ASA ASA-202102-36. Arch packagers ship the fix in the official repos as soon as the upstream tarball is rebuilt; running an outdated mirror or a stale local sync leaves the host exposed. Correlate pacman activity with system logs:

grep -E 'installed|upgraded|removed' /var/log/pacman.log | tail
grep -i python-cryptography /var/log/pacman.log | tail
pacman -Qu                                 # locally available updates
sudo journalctl -p err -b --no-pager | tail -100
cat /proc/sys/kernel/tainted              # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on Arch Linux to capture the current state of python-cryptography:

pacman -Qi python-cryptography                          # installed version + deps
pacman -Qkk python-cryptography                         # verify shipped files (size/mtime/checksum)
checkupdates                              # safe update check (pacman-contrib)
pacman -Qu                                # pending updates from local DB
systemctl --failed --no-pager
sudo nft list ruleset | head -50           # active firewall (nftables backend)
# If python-cryptography ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql→postgresql, nginx→nginx):
systemctl list-unit-files | grep -i python | head

Step-by-Step Diagnosis

  1. List failed systemd units.

    systemctl --failed --no-pager

  2. Tail the journal for python-cryptography and the system bus.

    sudo journalctl -u python-cryptography -f --no-pager
sudo journalctl -xe -f --no-pager

  3. Inspect firewall posture (Arch defaults to nftables; iptables-nft and ufw are also available).

    sudo nft list ruleset
sudo iptables -S 2>/dev/null | head -50
sudo ufw status verbose 2>/dev/null || true

  4. Check that the host is fully synced — the fix may already be live in the repos.

    sudo pacman -Syy                  # refresh repo DBs only
checkupdates                      # show pending updates without touching system
pacman -Si python-cryptography | grep -E 'Version|Repository'

  5. Verify python-cryptography integrity and reinstall if any file is altered.

    sudo pacman -Qkk python-cryptography
# Deeper file-level check (pacutils):
sudo pacman -S --needed pacutils
sudo paccheck --md5sum --quiet python-cryptography
sudo pacman -S python-cryptography              # reinstall current version

  6. Correlate findings with /var/log/pacman.log and Arch ASA ASA-202102-36 to pin the change that introduced python-cryptography — vulnerability — patch and remediation guide.

Solution – Primary Fix

Apply the corrective pacman transaction referenced by Arch ASA ASA-202102-36, then reload affected systemd units. Arch does not support partial upgrades — always do a full system sync, never pacman -Sy python-cryptography on its own:

sudo pacman -Syu                            # full system upgrade (REQUIRED on Arch)
# Or pull the specific package as part of the same transaction:
sudo pacman -Syu python-cryptography
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i python | head
sudo systemctl restart python-cryptography
pacman -Qi python-cryptography | grep -E 'Version|Install Date'   # confirm new version
systemctl is-active python-cryptography 2>/dev/null               # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl upgrades a reboot is required (Arch has no live-patch story in base):

# Check whether services or the kernel need a restart (pacman-contrib):
sudo pacman -S --needed pacman-contrib
checkservices 2>/dev/null || true
needrestart 2>/dev/null || true              # from the optional needrestart pkg
sudo systemctl reboot                        # or: sudo shutdown -r now

AUR caveat: packages installed from the AUR are not covered by Arch Security Advisories. Rebuild them against the new repo libs immediately after the system sync:

# AUR packages aren't covered by ASAs; rebuild via paru/yay:
paru -Syu --aur                              # paru is not part of base; install it from AUR first
# Or with yay:
yay -Syu --aur

Need help rolling this patch across an Arch fleet? Our IT Solutions & Services team supports Arch Linux workstations and container builds with rolling-release patching playbooks. Get in touch for a free consultation.

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

  • Roll back to an earlier package build from the local cache:

    ls /var/cache/pacman/pkg/ | grep ^python-cryptography- | tail
sudo pacman -U /var/cache/pacman/pkg/python-cryptography-<old-version>.pkg.tar.zst

  • Pin the host to a specific snapshot from the Arch Linux Archive to reproduce a known-good state:

    # /etc/pacman.d/mirrorlist (replace all Server lines with):
Server = https://archive.archlinux.org/repos/2024/05/01/$repo/os/$arch
sudo pacman -Syyuu                          # downgrade the whole system to that date

  • Hold the package temporarily by adding it to IgnorePkg in /etc/pacman.conf:

    # /etc/pacman.conf:
IgnorePkg = python-cryptography
# Lift the hold by removing the line, then run sudo pacman -Syu

  • Enable AppArmor for an extra confinement layer (optional, not enabled by default on Arch):

    sudo pacman -S apparmor
sudo systemctl enable --now apparmor
sudo aa-status

  • Take a Btrfs / LVM snapshot before kernel / glibc upgrades for fast rollback:

    # Btrfs:
sudo btrfs subvolume snapshot / /.snapshots/preupgrade
# LVM:
sudo lvs
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>

  • Run the affected service inside a hardened systemd-nspawn or Podman container until the host is patched.

Verification & Acceptance Criteria

All of these should pass after the fix:

pacman -Qi python-cryptography | grep Version                       # expected fixed version
pacman -Qkk python-cryptography                                     # no file changes reported
checkupdates                                          # no further updates pending for the listed CVE packages
systemctl is-active python-cryptography 2>/dev/null
sudo journalctl -u python-cryptography --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo nft list ruleset | head
sudo aa-status 2>/dev/null || echo 'AppArmor not in use'

The original reproduction for python-cryptography — vulnerability — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

pacman -Qqe > /root/pkglist-pre.txt
sudo cp /var/log/pacman.log /root/pacman.log.pre
# Optional Btrfs/LVM snapshot:
sudo btrfs subvolume snapshot / /.snapshots/preupgrade
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>

To revert if the patch is bad:

# Reinstall the previous build from the local cache:
sudo pacman -U /var/cache/pacman/pkg/python-cryptography-<old-version>.pkg.tar.zst
# Or pin the whole system to a snapshot in the Arch Linux Archive:
# /etc/pacman.d/mirrorlist:
# Server = https://archive.archlinux.org/repos/2024/05/01/$repo/os/$arch
sudo pacman -Syyuu
sudo systemctl daemon-reload
sudo systemctl restart python-cryptography
# Or merge the Btrfs / LVM snapshot and reboot:
sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot

Prevention & Hardening

Reduce the chance of this recurring on Arch Linux:

  • Install pacman-contrib and run checkupdates on a timer so security errata land within hours, not weeks:

    sudo pacman -S --needed pacman-contrib
# Then run checkupdates from a systemd timer or cron:
checkupdates && sudo pacman -Syu

  • Subscribe to arch-security and watch the Arch Linux security tracker for upstream changes.

  • Run a local mirror for controlled rollouts:

    sudo pacman -S --needed rsync
rsync -azH --delete rsync://mirrors.kernel.org/archlinux/ /srv/mirror/archlinux/
# Point /etc/pacman.d/mirrorlist on clients at the local mirror.

  • Hold sensitive packages via IgnorePkg in /etc/pacman.conf only when you have a roll-forward plan — do not leave them held indefinitely or you defeat the rolling-release model.

  • Monitor file integrity with AIDE:

    sudo pacman -S aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
sudo aide --check

  • Enable AppArmor for confinement of network-facing daemons (Arch has no SELinux by default):

    sudo pacman -S apparmor
sudo systemctl enable --now apparmor
sudo aa-status

  • Audit AUR helpers and rebuild AUR packages whenever a major repo lib changes (glibc, openssl, icu, etc.).

  • Apply the Arch Linux Security wiki hardening guide and remove unused packages with pacman -Qtdq.

Issues that commonly surface alongside python-cryptography — vulnerability — patch and remediation guide: pacman database lock contention, systemd unit ordering cycles, nftables rule drift, partial-upgrade breakage, and kernel taint flags. Useful triage:

sudo pacman -Dk                              # sanity-check the local pacman DB
systemd-analyze critical-chain
sudo journalctl -p warning -b --no-pager | tail
sudo nft list ruleset
cat /proc/sys/kernel/tainted
checkupdates

View all arch-linux tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Arch ASA ASA-202102-36. Manual pages useful on Arch Linux:

man pacman
man pacman.conf
man systemctl
man journalctl
man nft
man checkupdates
man paccheck
man aa-status

Other resources: wiki.archlinux.org, Arch security tracker, Arch Linux Archive, and per-package notes in /usr/share/doc/python-cryptography/ for components implicated in python-cryptography — vulnerability — patch and remediation guide.


View all Arch Linux tutorials on the Tutorials Hub →