CVE-2016-9243 – Ubuntu Security Notice USN-3138-1

https://notcve.org/view.php?id=CVE-2016-9243

28 Nov 2016 — HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size. HKDF en criptografía en versiones anteriores a 1.5.2 devuelve una cadena de bytes vacía si se utiliza con una longitud inferior que algorithm.digest_size. Markus Doering discovered that python-cryptography incorrectly handled certain HKDF lengths. This could result in python-cryptography returning an empty string instead of the expected derived key. • http://www.openwall.com/lists/oss-security/2016/11/09/2 • CWE-20: Improper Input Validation •