Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Nov 2016 14:06:14 +0100
From: Andrej Nemec <>
Subject: CVE Request: Cryptography 1.5.3: HKDF might return an empty

Hello all,

A security issue was fixed in Cryptography 1.5.3 and disclosed publicly
in the changelog, posted below:

1.5.3 - 2016-11-05

* Security issue: Fixed a bug where HKDF would return an empty
byte-string if used with a length less than algorithm.digest_size.
Credit to Markus Döring for reporting the issue.


Upstream bug:

Upstream patch:

Mitre, would you mind assigning a CVE number for this issue? Thanks!

Best Regards,

Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA

Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ