From 8bdcc6244d118ab58d8eb50ceb0a15dfbeeecdf6 Mon Sep 17 00:00:00 2001
From: Justin Eyster <Justin.Eyster@ibm.com>
Date: Mon, 24 Sep 2018 15:58:35 -0400
Subject: [PATCH] Addresses security vulnerability in cryptography<2.3

Discovered using pipenv's security check feature that there's a vulnerability in the cryptography package versions<2.3.

> Checking installed package safety...
36351: cryptography >=1.9.0,<2.3 resolved (2.2.2 installed)!
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

More details here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index dad9ab9bb..98780dd5a 100755
--- a/setup.py
+++ b/setup.py
@@ -10,7 +10,7 @@ install_requires = [
     "boto>=2.36.0",
     "boto3>=1.6.16,<1.8",
     "botocore>=1.9.16,<1.11",
-    "cryptography>=2.0.0",
+    "cryptography>=2.3.0",
     "requests>=2.5",
     "xmltodict",
     "six>1.9",