Security update for python-cryptography SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3445-1 Final 1 1 2018-10-25T12:26:34Z current 2018-10-25T12:26:34Z 2018-10-25T12:26:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-cryptography This update for python-cryptography fixes the following issues: - CVE-2018-10903: The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries could have caused key leakage (bsc#1101820). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00065.html E-Mail link for openSUSE-SU-2018:3445-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 python-cryptography-2.1.4-lp150.3.3.1 python2-cryptography-2.1.4-lp150.3.3.1 python3-cryptography-2.1.4-lp150.3.3.1 python-cryptography-2.1.4-lp150.3.3.1 as a component of openSUSE Leap 15.0 python2-cryptography-2.1.4-lp150.3.3.1 as a component of openSUSE Leap 15.0 python3-cryptography-2.1.4-lp150.3.3.1 as a component of openSUSE Leap 15.0 A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. CVE-2018-10903 openSUSE Leap 15.0:python-cryptography-2.1.4-lp150.3.3.1 openSUSE Leap 15.0:python2-cryptography-2.1.4-lp150.3.3.1 openSUSE Leap 15.0:python3-cryptography-2.1.4-lp150.3.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00065.html https://www.suse.com/security/cve/CVE-2018-10903.html CVE-2018-10903 https://bugzilla.suse.com/1101820 SUSE Bug 1101820