30db653f14
This addresses CVE-2018-10903:
A flaw was found in python-cryptography versions between >=1.9.0 and
<2.3. The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing
it to finalize_with_tag an attacker could craft an invalid payload
with a shortened tag (e.g. 1 byte) such that they would have a 1 in
256 chance of passing the MAC check. GCM tag forgeries can cause key
leakage.
... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
8 lines
124 B
Text
8 lines
124 B
Text
Flask==1.0.2
|
|
Jinja2==2.10
|
|
MarkupSafe==1.0
|
|
Werkzeug==0.14.1
|
|
itsdangerous==0.24
|
|
redis==2.10.6
|
|
cryptography==2.3.1
|
|
mock==2.0.0
|