Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Nov 2016 14:06:14 +0100
From: Andrej Nemec <anemec@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request: Cryptography 1.5.3: HKDF might return an empty
 byte-string

Hello all,

A security issue was fixed in Cryptography 1.5.3 and disclosed publicly
in the changelog, posted below:

1.5.3 - 2016-11-05

* Security issue: Fixed a bug where HKDF would return an empty
byte-string if used with a length less than algorithm.digest_size.
Credit to Markus Döring for reporting the issue.

Changelog:

https://cryptography.io/en/latest/changelog/#id1

Upstream bug:

https://github.com/pyca/cryptography/issues/3211

Upstream patch:

https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874

Mitre, would you mind assigning a CVE number for this issue? Thanks!

Best Regards,

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA


[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ