CVE-2016-9243: Input Validation
First published: Mon Mar 27 2017(Updated: )
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cryptography.io Cryptography | <=1.5.2 | |
| Fedoraproject Fedora | =23 | |
| Fedoraproject Fedora | =24 | |
| Fedoraproject Fedora | =25 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =16.10 | |
| Cryptography.io Cryptography Python | <=1.5.2 | |
| pip/cryptography | <1.5.3 | 1.5.3 |
| <=1.5.2 | ||
| =23 | ||
| =24 | ||
| =25 | ||
| =16.04 | ||
| =16.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/11/09/2
- http://www.securityfocus.com/bid/94216
- http://www.ubuntu.com/usn/USN-3138-1
- https://cryptography.io/en/latest/changelog
- https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874
- https://github.com/pyca/cryptography/issues/3211
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL/
- https://nvd.nist.gov/vuln/detail/CVE-2016-9243
- https://cryptography.io/en/latest/changelog/#v1-5-3
- https://github.com/advisories/GHSA-q3cj-2r34-2cwc (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2017-8.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT
- collector/nvd-index
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q3cj-2r34-2cwc
- alias/CVE-2016-9243
- agent/references
- agent/last-modified-date
- agent/severity
- agent/description
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-cve
- collector/github-advisory
- vendor/cryptography.io
- canonical/cryptography.io cryptography
- version/cryptography.io cryptography/1.5.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/23
- version/fedoraproject fedora/24
- version/fedoraproject fedora/25
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/16.10
- canonical/cryptography.io cryptography python
- version/cryptography.io cryptography python/1.5.2
- package-manager/pip