Hello community, here is the log from the commit of package python3-cryptography for openSUSE:Factory checked in at 2016-11-08 18:26:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-cryptography (Old) and /work/SRC/openSUSE:Factory/.python3-cryptography.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3-cryptography" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-cryptography/python3-cryptography.changes 2016-10-10 16:16:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3-cryptography.new/python3-cryptography.changes 2016-11-08 18:26:07.000000000 +0100 @@ -1,0 +2,9 @@ +Sun Nov 6 20:16:49 UTC 2016 - a...@gmx.de + +- update to version 1.5.3: + * SECURITY ISSUE: Fixed a bug where HKDF would return an empty + byte-string if used with a length less than + algorithm.digest_size. Credit to Markus Döring for reporting the + issue. + +------------------------------------------------------------------- Old: ---- cryptography-1.5.2.tar.gz cryptography-1.5.2.tar.gz.asc New: ---- cryptography-1.5.3.tar.gz cryptography-1.5.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-cryptography.spec ++++++ --- /var/tmp/diff_new_pack.u3whsF/_old 2016-11-08 18:26:08.000000000 +0100 +++ /var/tmp/diff_new_pack.u3whsF/_new 2016-11-08 18:26:08.000000000 +0100 @@ -17,7 +17,7 @@ Name: python3-cryptography -Version: 1.5.2 +Version: 1.5.3 Release: 0 Url: https://cryptography.io/en/latest/ Summary: Python library which exposes cryptographic recipes and primitives ++++++ cryptography-1.5.2.tar.gz -> cryptography-1.5.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/CHANGELOG.rst new/cryptography-1.5.3/CHANGELOG.rst --- old/cryptography-1.5.2/CHANGELOG.rst 2016-09-26 22:22:36.000000000 +0200 +++ new/cryptography-1.5.3/CHANGELOG.rst 2016-11-06 05:07:11.000000000 +0100 @@ -1,6 +1,13 @@ Changelog ========= +1.5.3 - 2016-11-05 +~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty + byte-string if used with a ``length`` less than ``algorithm.digest_size``. + Credit to **Markus Döring** for reporting the issue. + 1.5.2 - 2016-09-26 ~~~~~~~~~~~~~~~~~~ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/PKG-INFO new/cryptography-1.5.3/PKG-INFO --- old/cryptography-1.5.2/PKG-INFO 2016-09-26 22:22:59.000000000 +0200 +++ new/cryptography-1.5.3/PKG-INFO 2016-11-06 05:08:22.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: cryptography -Version: 1.5.2 +Version: 1.5.3 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. Home-page: https://github.com/pyca/cryptography Author: The cryptography developers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/src/cryptography/__about__.py new/cryptography-1.5.3/src/cryptography/__about__.py --- old/cryptography-1.5.2/src/cryptography/__about__.py 2016-09-26 22:22:36.000000000 +0200 +++ new/cryptography-1.5.3/src/cryptography/__about__.py 2016-11-06 05:07:51.000000000 +0100 @@ -14,7 +14,7 @@ " and primitives to Python developers.") __uri__ = "https://github.com/pyca/cryptography" -__version__ = "1.5.2" +__version__ = "1.5.3" __author__ = "The cryptography developers" __email__ = "cryptography-...@python.org" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/src/cryptography/hazmat/primitives/kdf/hkdf.py new/cryptography-1.5.3/src/cryptography/hazmat/primitives/kdf/hkdf.py --- old/cryptography-1.5.2/src/cryptography/hazmat/primitives/kdf/hkdf.py 2016-09-26 22:22:21.000000000 +0200 +++ new/cryptography-1.5.3/src/cryptography/hazmat/primitives/kdf/hkdf.py 2016-11-06 04:05:05.000000000 +0100 @@ -91,7 +91,7 @@ output = [b""] counter = 1 - while (self._algorithm.digest_size // 8) * len(output) < self._length: + while self._algorithm.digest_size * (len(output) - 1) < self._length: h = hmac.HMAC(key_material, self._algorithm, backend=self._backend) h.update(output[-1]) h.update(self._info) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/src/cryptography.egg-info/PKG-INFO new/cryptography-1.5.3/src/cryptography.egg-info/PKG-INFO --- old/cryptography-1.5.2/src/cryptography.egg-info/PKG-INFO 2016-09-26 22:22:59.000000000 +0200 +++ new/cryptography-1.5.3/src/cryptography.egg-info/PKG-INFO 2016-11-06 05:08:22.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: cryptography -Version: 1.5.2 +Version: 1.5.3 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. Home-page: https://github.com/pyca/cryptography Author: The cryptography developers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cryptography-1.5.2/tests/hazmat/primitives/test_hkdf.py new/cryptography-1.5.3/tests/hazmat/primitives/test_hkdf.py --- old/cryptography-1.5.2/tests/hazmat/primitives/test_hkdf.py 2016-09-26 22:22:21.000000000 +0200 +++ new/cryptography-1.5.3/tests/hazmat/primitives/test_hkdf.py 2016-11-06 04:05:05.000000000 +0100 @@ -142,6 +142,17 @@ hkdf.verify(b"foo", u"bar") + def test_derive_short_output(self, backend): + hkdf = HKDF( + hashes.SHA256(), + 4, + salt=None, + info=None, + backend=backend + ) + + assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{" + @pytest.mark.requires_backend_interface(interface=HMACBackend) class TestHKDFExpand(object):