From 30db653f146f47620611df32a92eaa4f45ea0cda Mon Sep 17 00:00:00 2001
From: Jon Parise <jon@pinterest.com>
Date: Wed, 31 Oct 2018 09:35:44 -0700
Subject: [PATCH] Upgrade to cryptography 2.3.1

This addresses CVE-2018-10903:

    A flaw was found in python-cryptography versions between >=1.9.0 and
    <2.3. The finalize_with_tag API did not enforce a minimum tag
    length. If a user did not validate the input length prior to passing
    it to finalize_with_tag an attacker could craft an invalid payload
    with a shortened tag (e.g. 1 byte) such that they would have a 1 in
    256 chance of passing the MAC check. GCM tag forgeries can cause key
    leakage.

... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
---
 CHANGELOG.rst    | 5 +++++
 requirements.txt | 2 +-
 setup.py         | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index fdec35a..60e79ae 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,3 +1,8 @@
+Version 1.4.1
+-------------
+ * Upgraded cryptography to 2.3.1 (for CVE-2018-10903, although snappass is
+   unaffected because it doesn't use the vulnerable ``finalize_with_tag`` API)
+
 Version 1.4.0
 -------------
 *You will lose stored passwords during the upgrade to this version*
diff --git a/requirements.txt b/requirements.txt
index 32eb1c8..795a483 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,5 +4,5 @@ MarkupSafe==1.0
 Werkzeug==0.14.1
 itsdangerous==0.24
 redis==2.10.6
-cryptography==2.2.2
+cryptography==2.3.1
 mock==2.0.0
diff --git a/setup.py b/setup.py
index ed1003e..28287be 100644
--- a/setup.py
+++ b/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup
 
 setup(
     name='snappass',
-    version='1.4.0',
+    version='1.4.1',
     description="It's like SnapChat... for Passwords.",
     long_description=(open('README.rst').read() + '\n\n' +
                       open('AUTHORS.rst').read()),