30db653f14
This addresses CVE-2018-10903:
A flaw was found in python-cryptography versions between >=1.9.0 and
<2.3. The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing
it to finalize_with_tag an attacker could craft an invalid payload
with a shortened tag (e.g. 1 byte) such that they would have a 1 in
256 chance of passing the MAC check. GCM tag forgeries can cause key
leakage.
... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
20 lines
707 B
ReStructuredText
20 lines
707 B
ReStructuredText
Version 1.4.1
|
|
-------------
|
|
* Upgraded cryptography to 2.3.1 (for CVE-2018-10903, although snappass is
|
|
unaffected because it doesn't use the vulnerable ``finalize_with_tag`` API)
|
|
|
|
Version 1.4.0
|
|
-------------
|
|
*You will lose stored passwords during the upgrade to this version*
|
|
* Added a prefix in redis in front of the storage keys, making the redis safer to share with other applications
|
|
* Small test and syntax improvements
|
|
|
|
Version 1.3.0
|
|
-------------
|
|
* Quote urls to fix bug with ending in '='
|
|
* Mock redis
|
|
* Drop support for python 2.6 and python 3.3
|
|
|
|
Version 1.2.0
|
|
-------------
|
|
* Added Fernet cryptography to the stored keys, prevent access to full text passwords if someone has access to Redis
|