Closed Bug 1484268 Opened Last year Closed Last year

Update python module for mitmproxy due to security vulnerability

Categories

(Testing :: Talos, enhancement)

Version 3
enhancement
Not set

Tracking

(firefox63 fixed)

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: sfraser, Assigned: sfraser)

References

Details

Attachments

(1 file)

from `mach python-safety`

/Users/sfraser/hg.m.o/mozilla-unified/testing/talos/talos/mitmproxy/mitmproxy_requirements.txt
  FAIL cryptography - cryptography installed:1.8.2 affected:<=2.2.2 description:python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
  FAIL /Users/sfraser/hg.m.o/mozilla-unified/testing/talos/talos/mitmproxy/mitmproxy_requirements.txt - cryptography
Assignee: nobody → sfraser
Comment on attachment 9002004 [details]
Bug 1484268 Update cryptography for mitmproxy r=rwood

Robert Wood [:rwood] has approved the revision.
Attachment #9002004 - Flags: review+
Pushed by sfraser@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2c6eaa99679f
Update cryptography for mitmproxy r=rwood
https://hg.mozilla.org/mozilla-central/rev/2c6eaa99679f
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Depends on: 1495315
You need to log in before you can comment on or make changes to this bug.