—
PYSEC-2021-63
Details
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / cryptography
Introduced in:
3.1 Fixed in: 3.3.2 Fix
pip install --upgrade 'cryptography>=3.3.2' References
- https://github.com/pyca/cryptography/issues/5615 [REPORT]
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst [WEB]
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/ [WEB]
- https://github.com/advisories/GHSA-rhm9-p9w5-fwm7 [ADVISORY]