Debian Bug report logs -
#1023030
pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ben Finney <bignose@debian.org>
:
Bug#1023030
; Package src:pysha3
.
(Sat, 29 Oct 2022 12:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Rivera <stefanor@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ben Finney <bignose@debian.org>
.
(Sat, 29 Oct 2022 12:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pysha3
Version: 1.0.2-4.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Forwarded: https://github.com/tiran/pysha3/issues/29
pysha3 is affected by CVE-2022-37454, a security issue in Keccak
See: https://github.com/python/cpython/issues/98517
https://mouha.be/sha-3-buffer-overflow/
This is a backport module to bring a feature from Python 3.6 back to
older versions.
It seems very dead upstream, should we just remove it from the archive?
There is currently one reverse-dependency, python-opentimestamps, and I
think we can trivially migrate that to use hashlib.
SR
Information forwarded
to debian-bugs-dist@lists.debian.org, Ben Finney <bignose@debian.org>
:
Bug#1023030
; Package src:pysha3
.
(Sat, 29 Oct 2022 12:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ben Finney <bignose@debian.org>
.
(Sat, 29 Oct 2022 12:39:05 GMT) (full text, mbox, link).
Message #10 received at 1023030@bugs.debian.org (full text, mbox, reply):
Hi Stefano,
On Sat, Oct 29, 2022 at 01:58:48PM +0200, Stefano Rivera wrote:
> Source: pysha3
> Version: 1.0.2-4.2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> Forwarded: https://github.com/tiran/pysha3/issues/29
>
> pysha3 is affected by CVE-2022-37454, a security issue in Keccak
> See: https://github.com/python/cpython/issues/98517
> https://mouha.be/sha-3-buffer-overflow/
>
> This is a backport module to bring a feature from Python 3.6 back to
> older versions.
>
> It seems very dead upstream, should we just remove it from the archive?
>
> There is currently one reverse-dependency, python-opentimestamps, and I
> think we can trivially migrate that to use hashlib.
Probably a good idea, if we can have that happen in time for bookworm.
Will you work on the reverse dependency to make it possible and then
request the removal for src:pysha3?
Regards,
Salvatore
Marked as found in versions pysha3/1.0.2-4.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 29 Oct 2022 12:45:05 GMT) (full text, mbox, link).
Marked as found in versions pysha3/1.0.2-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 29 Oct 2022 12:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ben Finney <bignose@debian.org>
:
Bug#1023030
; Package src:pysha3
.
(Sat, 29 Oct 2022 13:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to stefanor@debian.org
:
Extra info received and forwarded to list. Copy sent to Ben Finney <bignose@debian.org>
.
(Sat, 29 Oct 2022 13:09:05 GMT) (full text, mbox, link).
Message #19 received at 1023030@bugs.debian.org (full text, mbox, reply):
Hi Salvatore (2022.10.29_12:34:35_+0000)
> Probably a good idea, if we can have that happen in time for bookworm.
> Will you work on the reverse dependency to make it possible and then
> request the removal for src:pysha3?
Reverse dependency fixed, I'll file for RM now.
SR
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 29 13:24:18 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.