What Are You Looking For?

Sign Up
MGASA-2018-0429 - Updated python-cryptography packages fix security vulnerability

Publication date: 03 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0429.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2018-10903

The python-cryptography and python-cryptography-vectors packages have
been updated to version 2.3.1 and fixes the following security issue:

The finalize_with_tag API did not enforce a minimum tag length. If a
user did not validate the input length prior to passing it to
finalize_with_tag an attacker could craft an invalid payload with a
shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance
of passing the MAC check. GCM tag forgeries can cause key leakage
(CVE-2018-10903).

References:
- https://bugs.mageia.org/show_bug.cgi?id=23339
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903

SRPMS:
- 6/core/python-cryptography-2.3.1-1.mga6
- 6/core/python-cryptography-vectors-2.3.1-1.mga6

Mageia 2018-0429: python-cryptography security update

The python-cryptography and python-cryptography-vectors packages have been updated to version 2.3.1 and fixes the following security issue: The finalize_with_tag API did not enfor...

Summary

The python-cryptography and python-cryptography-vectors packages have been updated to version 2.3.1 and fixes the following security issue:
The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage (CVE-2018-10903).

References

- https://bugs.mageia.org/show_bug.cgi?id=23339

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903

Resolution

MGASA-2018-0429 - Updated python-cryptography packages fix security vulnerability

SRPMS

- 6/core/python-cryptography-2.3.1-1.mga6

- 6/core/python-cryptography-vectors-2.3.1-1.mga6

Severity
Publication date: 03 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0429.html
Type: security
CVE: CVE-2018-10903

Related News

Linux version of Qilin ransomware focuses on VMware ESXi

Dec 4, 2023

OpenSSL 3.2 Adds Support for TCP Fast Open on Linux, Argon2 KDF, and More

Nov 27, 2023

Firefox 119 Starts to Roll Out Improved Firefox View Feature, Ramps Up Privacy and Security

Oct 25, 2023

Linux 6.6 Brings New Scheduler, File Sharing and Security

Nov 2, 2023

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

Footer Logo