oss-sec mailing list archives
CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string
From: Andrej Nemec <anemec () redhat com>
Date: Tue, 8 Nov 2016 14:06:14 +0100
Hello all, A security issue was fixed in Cryptography 1.5.3 and disclosed publicly in the changelog, posted below: 1.5.3 - 2016-11-05 * Security issue: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. Credit to Markus Döring for reporting the issue. Changelog: https://cryptography.io/en/latest/changelog/#id1 Upstream bug: https://github.com/pyca/cryptography/issues/3211 Upstream patch: https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874 Mitre, would you mind assigning a CVE number for this issue? Thanks! Best Regards, -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string Andrej Nemec (Nov 08)
- Re: CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string cve-assign (Nov 08)