Advisories ยป MGASA-2018-0429

Updated python-cryptography packages fix security vulnerability

Publication date: 03 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-10903


The python-cryptography and python-cryptography-vectors packages have
been updated to version 2.3.1 and fixes the following security issue:

The finalize_with_tag API did not enforce a minimum tag length. If a
user did not validate the input length prior to passing it to
finalize_with_tag an attacker could craft an invalid payload with a
shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance
of passing the MAC check. GCM tag forgeries can cause key leakage