Ubuntu Security Notice 3138-1 - Markus Doering discovered that python-cryptography incorrectly handled certain HKDF lengths. This could result in python-cryptography returning an empty string instead of the expected derived key.
d43f841edb4ea05dfc79682b7bcf6b24c0aae61440c09d4576dc2e86ce097208
===========================================================================
Ubuntu Security Notice USN-3138-1
November 28, 2016
python-cryptography vulnerability
===========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
python-cryptography could generate incorrect keys.
Software Description:
- python-cryptography: Cryptography Python library
Details:
Markus D=C3=B6ring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-cryptography 1.5-2ubuntu0.1
python3-cryptography 1.5-2ubuntu0.1
Ubuntu 16.04 LTS:
python-cryptography 1.2.3-1ubuntu0.1
python3-cryptography 1.2.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3138-1
CVE-2016-9243
Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/1.5-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1