Alerts This Week
Warning Icon 1 700
Alerts This Week
Warning Icon 1 700

Fedora: 2018-06c24068c6 Moderate: Python-Cryptography Tag Forgery Issue

fedora
Calendar Grey July 31, 2018
Dist Fedora Esm H88
Fedora security notice releases Python cryptography 2.3, resolving tag spoofing vulnerabilities and enhancing interoperability.
# New upstream release 2.3 Fixes possible tag truncation security bug in AEAD API, see RHBZ#1602752 ## 2.3 - 2018-07-18 * SECURITY ISSUE: finalize_with_tag() allowed tag truncation...

Summary

cryptography is a package designed to expose cryptographic primitives and

recipes to Python developers.

# New upstream release 2.3 Fixes possible tag truncation security bug in AEAD

API, see RHBZ#1602752 ## 2.3 - 2018-07-18 * SECURITY ISSUE:

finalize_with_tag() allowed tag truncation by default which can allow tag

forgery in some cases. The method now enforces the min_tag_length provided to

the GCM constructor. * Added support for Python 3.7. * Added extract_timestamp()

to get the authenticated timestamp of a Fernet token. * Support for Python 2.7.x

without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or

higher (or 2.7.6 on Ubuntu) in the next cryptography release. * Fixed multiple

issues preventing cryptography from compiling against LibreSSL 2.7.x. * Added

get_revoked_certificate_by_serial_number for quick serial number searches in

CRLs. * The RelativeDistinguishedName class now preserves the order of

attributes. Duplicate attributes now raise an error instead of silently

discarding duplicates. * aes_key_unwrap() and aes_key_unwrap_with_padding() now

raise InvalidUnwrap if the wrapped key is an invalid length, instead of

ValueError.

* Wed Jul 18 2018 Christian Heimes - 2.3-1

- New upstream release 2.3

- Fix AEAD tag truncation bug, RHBZ#1602752

* Sun Feb 18 2018 Christian Heimes - 2.0.2-4

- Build requires gcc

* Tue Oct 24 2017 Christian Heimes - 2.0.2-3

- Change Requires to openssl-libs

[ 1 ] Bug #1602752 - Possible tag truncation security bug in AEAD API

https://bugzilla.redhat.com/show_bug.cgi?id=1602752

su -c 'dnf upgrade --advisory FEDORA-2018-06c24068c6' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISAT5OZONFGZZYASZFASPLT33NHEB3MN/

Topics%20covered

Topics Covered

security advisory security update security issue Fedora python cryptography tag forgery AEAD API

Change Log

References

Update Instructions

Product: Fedora 27
Version: 2.3
Release: 1.fc27
URL: https://cryptography.io/en/latest/
Summary: PyCA's cryptography library

Topics%20covered

Topics Covered

security advisory security update security issue Fedora python cryptography tag forgery AEAD API

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here