Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers:

“`pycon
>>> outbuf = b”x00″ * 32
>>> c = ciphers.Cipher(AES(b”x00″ * 32), modes.ECB()).encryptor()
>>> c.update_into(b”x00″ * 16, outbuf)
16
>>> outbuf
b’xdcx95xc0xxa2@x89x89xadHxa2x14x92x84 x87x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00′
“`

This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python. This is a soundness bug — it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

This now correctly raises an exception.

This issue has been present since `update_into` was originally introduced in cryptography 1.8.Read More