New upstream release 2.3

Fixes possible tag truncation security bug in AEAD API, see #1602752

2.3 - 2018-07-18

  • SECURITY ISSUE: finalize_with_tag() allowed tag truncation by default which can allow tag forgery in some cases. The method now enforces the min_tag_length provided to the GCM constructor.
  • Added support for Python 3.7.
  • Added extract_timestamp() to get the authenticated timestamp of a Fernet token.
  • Support for Python 2.7.x without hmac.compare_digest has been deprecated. We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next cryptography release.
  • Fixed multiple issues preventing cryptography from compiling against LibreSSL 2.7.x.
  • Added get_revoked_certificate_by_serial_number for quick serial number searches in CRLs.
  • The RelativeDistinguishedName class now preserves the order of attributes. Duplicate attributes now raise an error instead of silently discarding duplicates.
  • aes_key_unwrap() and aes_key_unwrap_with_padding() now raise InvalidUnwrap if the wrapped key is an invalid length, instead of ValueError.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-06c24068c6

This update has been submitted for testing by cheimes.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon hreindl commented & provided feedback 2 years ago
karma

works for me

User Icon pwalter commented & provided feedback 2 years ago
karma

Works

This update has been submitted for batched by bodhi.

2 years ago

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
1
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1602752 Possible tag truncation security bug in AEAD API
0
0

Automated Test Results