Date: Tue, 8 Nov 2016 14:06:14 +0100 From: Andrej Nemec <anemec@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string Hello all, A security issue was fixed in Cryptography 1.5.3 and disclosed publicly in the changelog, posted below: 1.5.3 - 2016-11-05 * Security issue: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. Credit to Markus Döring for reporting the issue. Changelog: https://cryptography.io/en/latest/changelog/#id1 Upstream bug: https://github.com/pyca/cryptography/issues/3211 Upstream patch: https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874 Mitre, would you mind assigning a CVE number for this issue? Thanks! Best Regards, -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ