Upgrade to cryptography 2.3.1

This addresses CVE-2018-10903:

    A flaw was found in python-cryptography versions between >=1.9.0 and
    <2.3. The finalize_with_tag API did not enforce a minimum tag
    length. If a user did not validate the input length prior to passing
    it to finalize_with_tag an attacker could craft an invalid payload
    with a shortened tag (e.g. 1 byte) such that they would have a 1 in
    256 chance of passing the MAC check. GCM tag forgeries can cause key
    leakage.

... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
This commit is contained in:
Jon Parise 2018-10-31 09:35:44 -07:00
parent 06149b81e8
commit 30db653f14
3 changed files with 7 additions and 2 deletions

View file

@ -1,3 +1,8 @@
Version 1.4.1
-------------
* Upgraded cryptography to 2.3.1 (for CVE-2018-10903, although snappass is
unaffected because it doesn't use the vulnerable ``finalize_with_tag`` API)
Version 1.4.0 Version 1.4.0
------------- -------------
*You will lose stored passwords during the upgrade to this version* *You will lose stored passwords during the upgrade to this version*

View file

@ -4,5 +4,5 @@ MarkupSafe==1.0
Werkzeug==0.14.1 Werkzeug==0.14.1
itsdangerous==0.24 itsdangerous==0.24
redis==2.10.6 redis==2.10.6
cryptography==2.2.2 cryptography==2.3.1
mock==2.0.0 mock==2.0.0

View file

@ -2,7 +2,7 @@ from setuptools import setup
setup( setup(
name='snappass', name='snappass',
version='1.4.0', version='1.4.1',
description="It's like SnapChat... for Passwords.", description="It's like SnapChat... for Passwords.",
long_description=(open('README.rst').read() + '\n\n' + long_description=(open('README.rst').read() + '\n\n' +
open('AUTHORS.rst').read()), open('AUTHORS.rst').read()),