Hello community,
here is the log from the commit of package python3-cryptography for
openSUSE:Factory checked in at 2016-11-08 18:26:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python3-cryptography (Old)
and /work/SRC/openSUSE:Factory/.python3-cryptography.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3-cryptography"
Changes:
--------
---
/work/SRC/openSUSE:Factory/python3-cryptography/python3-cryptography.changes
2016-10-10 16:16:57.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.python3-cryptography.new/python3-cryptography.changes
2016-11-08 18:26:07.000000000 +0100
@@ -1,0 +2,9 @@
+Sun Nov 6 20:16:49 UTC 2016 - a...@gmx.de
+
+- update to version 1.5.3:
+ * SECURITY ISSUE: Fixed a bug where HKDF would return an empty
+ byte-string if used with a length less than
+ algorithm.digest_size. Credit to Markus Döring for reporting the
+ issue.
+
+-------------------------------------------------------------------
Old:
----
cryptography-1.5.2.tar.gz
cryptography-1.5.2.tar.gz.asc
New:
----
cryptography-1.5.3.tar.gz
cryptography-1.5.3.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python3-cryptography.spec ++++++
--- /var/tmp/diff_new_pack.u3whsF/_old 2016-11-08 18:26:08.000000000 +0100
+++ /var/tmp/diff_new_pack.u3whsF/_new 2016-11-08 18:26:08.000000000 +0100
@@ -17,7 +17,7 @@
Name: python3-cryptography
-Version: 1.5.2
+Version: 1.5.3
Release: 0
Url: https://cryptography.io/en/latest/
Summary: Python library which exposes cryptographic recipes and
primitives
++++++ cryptography-1.5.2.tar.gz -> cryptography-1.5.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-1.5.2/CHANGELOG.rst
new/cryptography-1.5.3/CHANGELOG.rst
--- old/cryptography-1.5.2/CHANGELOG.rst 2016-09-26 22:22:36.000000000
+0200
+++ new/cryptography-1.5.3/CHANGELOG.rst 2016-11-06 05:07:11.000000000
+0100
@@ -1,6 +1,13 @@
Changelog
=========
+1.5.3 - 2016-11-05
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
+ byte-string if used with a ``length`` less than ``algorithm.digest_size``.
+ Credit to **Markus Döring** for reporting the issue.
+
1.5.2 - 2016-09-26
~~~~~~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-1.5.2/PKG-INFO
new/cryptography-1.5.3/PKG-INFO
--- old/cryptography-1.5.2/PKG-INFO 2016-09-26 22:22:59.000000000 +0200
+++ new/cryptography-1.5.3/PKG-INFO 2016-11-06 05:08:22.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: cryptography
-Version: 1.5.2
+Version: 1.5.3
Summary: cryptography is a package which provides cryptographic recipes and
primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-1.5.2/src/cryptography/__about__.py
new/cryptography-1.5.3/src/cryptography/__about__.py
--- old/cryptography-1.5.2/src/cryptography/__about__.py 2016-09-26
22:22:36.000000000 +0200
+++ new/cryptography-1.5.3/src/cryptography/__about__.py 2016-11-06
05:07:51.000000000 +0100
@@ -14,7 +14,7 @@
" and primitives to Python developers.")
__uri__ = "https://github.com/pyca/cryptography";
-__version__ = "1.5.2"
+__version__ = "1.5.3"
__author__ = "The cryptography developers"
__email__ = "cryptography-...@python.org"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-1.5.2/src/cryptography/hazmat/primitives/kdf/hkdf.py
new/cryptography-1.5.3/src/cryptography/hazmat/primitives/kdf/hkdf.py
--- old/cryptography-1.5.2/src/cryptography/hazmat/primitives/kdf/hkdf.py
2016-09-26 22:22:21.000000000 +0200
+++ new/cryptography-1.5.3/src/cryptography/hazmat/primitives/kdf/hkdf.py
2016-11-06 04:05:05.000000000 +0100
@@ -91,7 +91,7 @@
output = [b""]
counter = 1
- while (self._algorithm.digest_size // 8) * len(output) < self._length:
+ while self._algorithm.digest_size * (len(output) - 1) < self._length:
h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
h.update(output[-1])
h.update(self._info)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-1.5.2/src/cryptography.egg-info/PKG-INFO
new/cryptography-1.5.3/src/cryptography.egg-info/PKG-INFO
--- old/cryptography-1.5.2/src/cryptography.egg-info/PKG-INFO 2016-09-26
22:22:59.000000000 +0200
+++ new/cryptography-1.5.3/src/cryptography.egg-info/PKG-INFO 2016-11-06
05:08:22.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: cryptography
-Version: 1.5.2
+Version: 1.5.3
Summary: cryptography is a package which provides cryptographic recipes and
primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-1.5.2/tests/hazmat/primitives/test_hkdf.py
new/cryptography-1.5.3/tests/hazmat/primitives/test_hkdf.py
--- old/cryptography-1.5.2/tests/hazmat/primitives/test_hkdf.py 2016-09-26
22:22:21.000000000 +0200
+++ new/cryptography-1.5.3/tests/hazmat/primitives/test_hkdf.py 2016-11-06
04:05:05.000000000 +0100
@@ -142,6 +142,17 @@
hkdf.verify(b"foo", u"bar")
+ def test_derive_short_output(self, backend):
+ hkdf = HKDF(
+ hashes.SHA256(),
+ 4,
+ salt=None,
+ info=None,
+ backend=backend
+ )
+
+ assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
+
@pytest.mark.requires_backend_interface(interface=HMACBackend)
class TestHKDFExpand(object):
