Addresses security vulnerability in cryptography<2.3

Discovered using pipenv's security check feature that there's a vulnerability in the cryptography package versions<2.3. > Checking installed package safety... 36351: cryptography >=1.9.0,<2.3 resolved (2.2.2 installed)! python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. More details here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
2018-09-24 15:58:35 -04:00 · 2018-09-24 15:58:35 -04:00 · 8bdcc6244d
commit 8bdcc6244d
parent 57f9691a52
1 changed files with 1 additions and 1 deletions
--- a/setup.py
+++ b/setup.py
@ -10,7 +10,7 @@ install_requires = [
    "boto>=2.36.0",
    "boto3>=1.6.16,<1.8",
    "botocore>=1.9.16,<1.11",
-    "cryptography>=2.0.0",
+    "cryptography>=2.3.0",
    "requests>=2.5",
    "xmltodict",
    "six>1.9",