Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 9 Nov 2016 00:44:42 -0500
From: <cve-assign@...re.org>
To: <anemec@...hat.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1.5.3 - 2016-11-05
> 
> * Security issue: Fixed a bug where HKDF would return an empty
> byte-string if used with a length less than algorithm.digest_size.
> Credit to Markus Doering for reporting the issue.
> 
> https://cryptography.io/en/latest/changelog/#id1
> https://github.com/pyca/cryptography/issues/3211
> https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874

>> hazmat/primitives/kdf/hkdf.py
>> 
>> -  while (self._algorithm.digest_size // 8) * len(output) < self._length:
>> +  while self._algorithm.digest_size * (len(output) - 1) < self._length:

Use CVE-2016-9243.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYIrdLAAoJEHb/MwWLVhi20v8P/12FFKS4lmHBohPiqZfVYIVf
FVVBabdQeQKkm/T/zs+Dn0itq4FZX/jo3GYiJfC9zX7EPtmOq6QQQmKZImDeD72m
Tt3eMzUCdN5ofWm9+QHzi4Bg9Gh5ZtTQU1VppMslSxKCl5bB5kliEr+KH5iBndCw
ElvNUpqsODuqiajKwY5F+jTu7wazdxbG8vGds2dTy19SsBx+xOTP4wFt5vIKc4TN
s06d5AV7qJ9fZkXQgR62T2+huElM0yCYf7qx7B36YyT8Sj4pKrLAm/QdMx8e5azn
gEmvp6afOtXv+o+lqXQcsExQtHEz3W0ezVCsAZqA4ckGxSxcNZ2JwfQQizO/kHVK
+TMkYnMchlr80ev61VTV7AbXTnn/RHbHkHQA3nRRKXbR+umqzpcrpB4wFELwLqw9
hchlE5DebRoYGVSiFPTKsTmYca2OelbmEQcz7fRbaha1g2G6BoR9/bRPfZTj7PBk
J1yHdJqfF15EQUamOUpzSAzNubHly0jdOKNSE2kUMWZFCsDcvbsC/Hsvn2YXn7We
KlMWBZ7z1BdC7UEuNpDozVG9Dc62gX187+czppqmAaw9BD9cGH92QVghTsZ5Zxj3
UXrP0nt96ImQC/OlDVcdpUvqKE77K2Zb5OVFWLgU69VyaUc/oRMch6TgJ4VpCm6/
elSR/llcBZcHjvKLrYwP
=4CW6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ