Advisories » MGASA-2018-0429

Updated python-cryptography packages fix security vulnerability

Publication date: 03 Nov 2018
Modification date: 10 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-10903

Description

The python-cryptography and python-cryptography-vectors packages have
been updated to version 2.3.1 and fixes the following security issue:

The finalize_with_tag API did not enforce a minimum tag length. If a
user did not validate the input length prior to passing it to
finalize_with_tag an attacker could craft an invalid payload with a
shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance
of passing the MAC check. GCM tag forgeries can cause key leakage
(CVE-2018-10903).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23339
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903

SRPMS

6/core

• python-cryptography-2.3.1-1.mga6
• python-cryptography-vectors-2.3.1-1.mga6
• python-asn1crypto-0.22.0-1.1.mga6
• python-cffi-1.7.0-1.mga6