[Cryptography-dev] PyCA cryptography 1.0.2 released
Paul Kehrer
paul.l.kehrer at gmail.com
Sun Sep 27 16:07:32 CEST 2015
PyCA cryptography 1.0.2 has been released. This release contains a security fix that affects anyone running python with -O.
Changelog:
* SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.
-Paul Kehrer (reaperhulk)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150927/b9b7ed68/attachment.html>
More information about the Cryptography-dev
mailing list