Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Addresses security vulnerability in cryptography<2.3

Browse Source 
Discovered using pipenv's security check feature that there's a vulnerability in the cryptography package versions<2.3.

> Checking installed package safety...
36351: cryptography >=1.9.0,<2.3 resolved (2.2.2 installed)!
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

More details here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
This commit is contained in:
Justin Eyster 2018-09-24 15:58:35 -04:00
parent 57f9691a52
commit 8bdcc6244d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
setup.py
View File

@ -10,7 +10,7 @@ install_requires = [
"boto>=2.36.0", "boto>=2.36.0",
"boto3>=1.6.16,<1.8", "boto3>=1.6.16,<1.8",
"botocore>=1.9.16,<1.11", "botocore>=1.9.16,<1.11",
"cryptography>=2.0.0", "cryptography>=2.3.0",
"requests>=2.5", "requests>=2.5",
"xmltodict", "xmltodict",
"six>1.9", "six>1.9",