PublicDateAtUSN: 2018-07-20
Candidate: CVE-2018-10903
PublicDate: 2018-07-30 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
 https://ubuntu.com/security/notices/USN-3720-1
Description:
 A flaw was found in python-cryptography versions between >=1.9.0 and <2.3.
 The finalize_with_tag API did not enforce a minimum tag length. If a user
 did not validate the input length prior to passing it to finalize_with_tag
 an attacker could craft an invalid payload with a shortened tag (e.g. 1
 byte) such that they would have a 1 in 256 chance of passing the MAC check.
 GCM tag forgeries can cause key leakage.
Ubuntu-Description:
Notes:
 leosilva> following what debian says, our xenial version is not affected.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904072
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_python-cryptography:
 upstream: https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef
upstream_python-cryptography: needs-triage
precise/esm_python-cryptography: DNE
trusty_python-cryptography: DNE
trusty/esm_python-cryptography: DNE
xenial_python-cryptography: not-affected (code not present)
esm-infra/xenial_python-cryptography: not-affected (code not present)
artful_python-cryptography: ignored (reached end-of-life)
bionic_python-cryptography: released (2.1.4-1ubuntu1.2)
devel_python-cryptography: released (2.2.2-1ubuntu1)