Login
Newsletter
Werbung

Sicherheit: Mangelnde Fehlerbehandlung in python-cryptography
Aktuelle Meldungen Distributionen
Name: Mangelnde Fehlerbehandlung in python-cryptography
ID: USN-3138-1
Distribution: Ubuntu
Plattformen: Ubuntu 16.04 LTS, Ubuntu 16.10
Datum: Mo, 28. November 2016, 23:43
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9243
Applikationen: PyCA cryptography

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============0200230047836388680==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="iQdgCKpWijh2Gmp24b7ItwvLplqDDkJCT"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--iQdgCKpWijh2Gmp24b7ItwvLplqDDkJCT
Content-Type: multipart/mixed;
boundary="ajOBftH2To0dUGaUrrN7TkGlN8cQP6rgJ"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <69d566ea-fc76-8c02-d1f4-eba2a5ecc999@canonical.com>
Subject: [USN-3138-1] python-cryptography vulnerability

--ajOBftH2To0dUGaUrrN7TkGlN8cQP6rgJ
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3138-1
November 28, 2016

python-cryptography vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS

Summary:

python-cryptography could generate incorrect keys.

Software Description:
- python-cryptography: Cryptography Python library

Details:

Markus Döring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
python-cryptography 1.5-2ubuntu0.1
python3-cryptography 1.5-2ubuntu0.1

Ubuntu 16.04 LTS:
python-cryptography 1.2.3-1ubuntu0.1
python3-cryptography 1.2.3-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3138-1
CVE-2016-9243

Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/1.5-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1



--ajOBftH2To0dUGaUrrN7TkGlN8cQP6rgJ--

--iQdgCKpWijh2Gmp24b7ItwvLplqDDkJCT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYPIsFAAoJEGVp2FWnRL6TdMoP/20BbWTl79bawcUVW8o5rbWg
83fSBSN/BjMJkCiDguVdZd567Z9qACm3LxFYJufPUGcIjmkwscDqeAzoPIsTM9G8
iQPeASTGZRmzQuMNp5HOH04VZjAVZO0OTwX5o8/HHUNAEeZD4wCr8suSi5W5Veh8
qQmhE/lf1KNytn00g5Tt0gLfyg0T50mjXW3YeBcXiGbAVxK5YTUitqfDMBjszTTp
IU5EmyvLp6/E1bRG+ZuskCManckod7weT6StOqomecszt6ljr5x/1WYeRAmJqlYu
QnEQO0OAP+VjHHRWvX2LbcdPHIbvdorjewXkfQjisRxnDI2nBsE0qJ1hyRe+0i2e
d+5fiZdLCSOU+2wv0gghvOqU1ATBOP3Qfr6n/GeLY91p88m58du5arEi7UcN4rbO
uCBOvTiXqcrJlSjvC3O2WSRKEUKRX83nMh7YQCsPtzhvWkwFRNLSPERsdn9652Jt
nTPWp4D57NyFCUu94XJCANGF2farpDf2zAI6u5cCO9ekGK9MyHgN6nr09cns1Jsq
vlHFKJPJJX4xWh+cNoM6bWu3EoT5nK1Ecjh+6+fKe2TH72T9xfxC0a91kN9/D94I
ZqVehoi58u+PdEeplqHUiZGIG6pG4720EuNKnDk/MuTeyeUyrdEyOf2YxiD+ca91
DkwvkEqme9B0rZdOTgmR
=lgYx
-----END PGP SIGNATURE-----

--iQdgCKpWijh2Gmp24b7ItwvLplqDDkJCT--


--===============0200230047836388680==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============0200230047836388680==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung