==========================================================================
Ubuntu Security Notice USN-3138-1
November 28, 2016
python-cryptography vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 16.10
– Ubuntu 16.04 LTS
Summary:
python-cryptography could generate incorrect keys.
Software Description:
– python-cryptography: Cryptography Python library
Details:
Markus Döring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-cryptography 1.5-2ubuntu0.1
python3-cryptography 1.5-2ubuntu0.1
Ubuntu 16.04 LTS:
python-cryptography 1.2.3-1ubuntu0.1
python3-cryptography 1.2.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3138-1
CVE-2016-9243
Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/1.5-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAEBCgAGBQJYPIsFAAoJEGVp2FWnRL6TdMoP/20BbWTl79bawcUVW8o5rbWg
83fSBSN/BjMJkCiDguVdZd567Z9qACm3LxFYJufPUGcIjmkwscDqeAzoPIsTM9G8
iQPeASTGZRmzQuMNp5HOH04VZjAVZO0OTwX5o8/HHUNAEeZD4wCr8suSi5W5Veh8
qQmhE/lf1KNytn00g5Tt0gLfyg0T50mjXW3YeBcXiGbAVxK5YTUitqfDMBjszTTp
IU5EmyvLp6/E1bRG+ZuskCManckod7weT6StOqomecszt6ljr5x/1WYeRAmJqlYu
QnEQO0OAP+VjHHRWvX2LbcdPHIbvdorjewXkfQjisRxnDI2nBsE0qJ1hyRe+0i2e
d+5fiZdLCSOU+2wv0gghvOqU1ATBOP3Qfr6n/GeLY91p88m58du5arEi7UcN4rbO
uCBOvTiXqcrJlSjvC3O2WSRKEUKRX83nMh7YQCsPtzhvWkwFRNLSPERsdn9652Jt
nTPWp4D57NyFCUu94XJCANGF2farpDf2zAI6u5cCO9ekGK9MyHgN6nr09cns1Jsq
vlHFKJPJJX4xWh+cNoM6bWu3EoT5nK1Ecjh+6+fKe2TH72T9xfxC0a91kN9/D94I
ZqVehoi58u+PdEeplqHUiZGIG6pG4720EuNKnDk/MuTeyeUyrdEyOf2YxiD+ca91
DkwvkEqme9B0rZdOTgmR
=lgYx
—–END PGP SIGNATURE—–
—