CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string

[Andrej Nemec <anemec () redhat com>]

Hello all,

A security issue was fixed in Cryptography 1.5.3 and disclosed publicly
in the changelog, posted below:

1.5.3 - 2016-11-05

* Security issue: Fixed a bug where HKDF would return an empty
byte-string if used with a length less than algorithm.digest_size.
Credit to Markus Döring for reporting the issue.

Changelog:

https://cryptography.io/en/latest/changelog/#id1

Upstream bug:

https://github.com/pyca/cryptography/issues/3211

Upstream patch:

https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874

Mitre, would you mind assigning a CVE number for this issue? Thanks!

Best Regards,

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA

Attachment: signature.asc
Description: OpenPGP digital signature