Debian Bug report logs -
#849495
python-crypto: CVE-2013-7459
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Ramacher <sramacher@debian.org>:
Bug#849495; Package src:python-crypto.
(Tue, 27 Dec 2016 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Ramacher <sramacher@debian.org>.
(Tue, 27 Dec 2016 21:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-crypto
Version: 2.6.1-5
Severity: grave
Tags: patch upstream security
Justification: user security hole
Forwarded: https://github.com/dlitz/pycrypto/issues/176
Hi,
the following vulnerability was published for python-crypto.
CVE-2013-7459[0]:
Buffer overflow
A reporducer can be found on upstream issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2013-7459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7459
[1] https://github.com/dlitz/pycrypto/issues/176
[2] https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
[3] https://marc.info/?l=oss-security&m=148280482630855&w=2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sebastian Ramacher <sramacher@debian.org>:
Bug#849495; Package src:python-crypto.
(Wed, 28 Dec 2016 05:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sebastian Ramacher <sramacher@debian.org>.
(Wed, 28 Dec 2016 05:51:02 GMT) (full text, mbox, link).
Message #10 received at 849495@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Proposed debdiff attached.
Regards,
Salvatore
[python-crypto_2.6.1-6.1.debdiff (text/plain, attachment)]
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Wed, 28 Dec 2016 11:06:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 28 Dec 2016 11:06:03 GMT) (full text, mbox, link).
Message #15 received at 849495-close@bugs.debian.org (full text, mbox, reply):
Source: python-crypto
Source-Version: 2.6.1-7
We believe that the bug you reported is fixed in the latest version of
python-crypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated python-crypto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 28 Dec 2016 11:45:21 +0100
Source: python-crypto
Binary: python-crypto python-crypto-dbg python3-crypto python3-crypto-dbg python-crypto-doc
Architecture: source
Version: 2.6.1-7
Distribution: unstable
Urgency: high
Maintainer: Sebastian Ramacher <sramacher@debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
python-crypto - cryptographic algorithms and protocols for Python
python-crypto-dbg - cryptographic algorithms and protocols for Python (debug extensio
python-crypto-doc - cryptographic algorithms and protocols for Python (documentation)
python3-crypto - cryptographic algorithms and protocols for Python 3
python3-crypto-dbg - cryptographic algorithms and protocols for Python 3 (debug extens
Closes: 849495
Changes:
python-crypto (2.6.1-7) unstable; urgency=high
.
[ Salvatore Bonaccorso ]
* Throw exception when IV is used with ECB or CTR (CVE-2013-7459)
(Closes: #849495)
.
[ Sebastian Ramacher ]
* debian/control:
- Bump Standards-Version.
- Update Vcs-Git
* debian/rules: Remove dh_strip override for automatic dbgsym packages.
* debian/{control,compat}: Bump debhelper compat to 10.
Checksums-Sha1:
4e1c25a5d4933c3e1f69feee8e1cc56054480778 2461 python-crypto_2.6.1-7.dsc
2af7a014704f89e415bb57dc81b20a1e4f0d751d 22340 python-crypto_2.6.1-7.debian.tar.xz
Checksums-Sha256:
736942f9c924d2e40b21cbe2f50ee3ceaa2e44f4cbde8571fe26fc0c2e01bb2f 2461 python-crypto_2.6.1-7.dsc
0305c7219c56b6d72a13678580e0dbf7aeec76fbd8f7ec4ad1e00c3137a9156b 22340 python-crypto_2.6.1-7.debian.tar.xz
Files:
dd3c07e0430ffb2b232738586cb7eb52 2461 python optional python-crypto_2.6.1-7.dsc
976dd98027aa23e259d993240c5e3e80 22340 python optional python-crypto_2.6.1-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAcBQJYY5hzFRxzcmFtYWNoZXJAZGViaWFuLm9yZwAKCRBp8vxRbqcZ
kwdUD/wPdZAXDArfs3ZRBNxf4r4cxjoBRTbh9ADCr431U6lZQkUHjfNexnrHMIHz
bXFAUBift6t8GZO3N8/7w0tJAhniMFEwpRIbRzF4zRbaw1yGFoMY8CEvZelfTEfp
+BjA5xjo2siGMvMQW5cWU3PUETW7gr8gIerUX6FtO/9CkJoyIzhVwVSRKuhg9aUj
ELKypcX38m8+2WOvD9oWCLpe0NZiARMfQ3PcTnc9v8R4HytN6aqAxuXGIKmhuSiu
0MDq049L4xLI7XuHNl0kQ8lWZR5nPisNrln1u2J1V6/r7DRGsHXs+Efgk7UpbCpc
kKRtQ3yJTkPHqIbuJafLtIApvlZTC8GvOPs2/Chc1TGDn2hd7Aq8NuhRjl5XGL/l
NoiADDYDloEBZvNFgAp+IfoADNZShmYyQg4byNUNhaEQwnjEOoAllwx3lsZ053Rb
H0Ob51KsHuCGXzM8WQbjvE9NM72aG6XMgc+P40tL9KrxlB9Td6aLI3FuxK+Utud4
ivpB8S2Ff0b3We/zaJN0RJEtdOdewk1YAWYbH5QYSxJWZuPy+lzONiRRyX7WbOzA
6mPckqEDn6wKBjW73UFR+Zj13ac+SadWy0Od/06aX1j0uKmCWxZMAwZIjJ7q3YY7
cogsql66ck2OQKZMLfI519VBYUV3wMvnkghbws966l2Tm++rXQ==
=0yM1
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Fri, 06 Jan 2017 23:36:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 06 Jan 2017 23:36:10 GMT) (full text, mbox, link).
Message #20 received at 849495-close@bugs.debian.org (full text, mbox, reply):
Source: python-crypto
Source-Version: 2.6.1-5+deb8u1
We believe that the bug you reported is fixed in the latest version of
python-crypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated python-crypto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 03 Jan 2017 13:56:09 +0100
Source: python-crypto
Binary: python-crypto python-crypto-dbg python3-crypto python3-crypto-dbg python-crypto-doc
Architecture: source amd64 all
Version: 2.6.1-5+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Sebastian Ramacher <sramacher@debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
python-crypto - cryptographic algorithms and protocols for Python
python-crypto-dbg - cryptographic algorithms and protocols for Python (debug extensio
python-crypto-doc - cryptographic algorithms and protocols for Python (documentation)
python3-crypto - cryptographic algorithms and protocols for Python 3
python3-crypto-dbg - cryptographic algorithms and protocols for Python 3 (debug extens
Closes: 849495
Changes:
python-crypto (2.6.1-5+deb8u1) jessie; urgency=high
.
* debian/patches/CVE-2013-7459.patch: Raise a warning when IV is used with
ECB or CTR and ignored the IV in that case. Thanks to Salvatore Bonaccorso
for the initial patch. (CVE-2013-7459) (Closes:
#849495)
Checksums-Sha1:
4ebaf75d5abec48de2e18ce62b9a7786628e8012 2508 python-crypto_2.6.1-5+deb8u1.dsc
71b085826a1e529431fa17055c4fc210a0ec9de4 22344 python-crypto_2.6.1-5+deb8u1.debian.tar.xz
922831c94ed94c979c359b24a6796a90bba680d4 255796 python-crypto_2.6.1-5+deb8u1_amd64.deb
6dc1711b0233fa4958017de8741b9910f98d16df 585914 python-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
19274a6f4eb67f0a0cc13087fbcc3d7b9bec0dd4 257098 python3-crypto_2.6.1-5+deb8u1_amd64.deb
cdb09b85866d0ba27a74ffa1b87479ec46082c5b 591022 python3-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
b728494126ee105b987883ea993a89f5059ac711 88118 python-crypto-doc_2.6.1-5+deb8u1_all.deb
Checksums-Sha256:
5a031aacee73beb9bca4958aef6a9fd2effde581602834bb41be35a97f2f5932 2508 python-crypto_2.6.1-5+deb8u1.dsc
8ca7d124ad0209366238c014eaa28882d332d32ec02b87b6b0d0c9821a8c23b8 22344 python-crypto_2.6.1-5+deb8u1.debian.tar.xz
54f0d0330b60f2079ff973721580cc2ec15fb6166866dcaa962a1d9f7a358e3a 255796 python-crypto_2.6.1-5+deb8u1_amd64.deb
2c6bc90ad179ee5987a42b56dae39b954a9633e6bd83cace14e640efa235f5b4 585914 python-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
410a7a4eef08a6f35983f0300de1a6b069c1638492c8192a36e5c798aea5ac5a 257098 python3-crypto_2.6.1-5+deb8u1_amd64.deb
b5f6ade5e5017d656fa0de886c2ac1530b5217ac1e3b7f0ab367ffbc44666d05 591022 python3-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
3a6e2e3108554b513e1c7fa4eb6e3c975b2664454b54785ba43a87129dcb9d41 88118 python-crypto-doc_2.6.1-5+deb8u1_all.deb
Files:
fa79c736fc7888701256b69438186042 2508 python optional python-crypto_2.6.1-5+deb8u1.dsc
b561e9cc00a054d03fb1495c9dd828e3 22344 python optional python-crypto_2.6.1-5+deb8u1.debian.tar.xz
129fdfa67b4316106d864de5839c78e5 255796 python optional python-crypto_2.6.1-5+deb8u1_amd64.deb
ac237bf0a0010fd686d6d56bc8cead94 585914 debug extra python-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
80aacceacda99d82fd8bd323b22de93a 257098 python optional python3-crypto_2.6.1-5+deb8u1_amd64.deb
8358d0d6e9a7f8a541eef66c93e99ab3 591022 debug extra python3-crypto-dbg_2.6.1-5+deb8u1_amd64.deb
f66b2bfcf557c3c6cef3c061053a989d 88118 doc optional python-crypto-doc_2.6.1-5+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlhvrpQACgkQafL8UW6n
GZPbuRAAx6LjBcZAqlCD7kqeW1w4i9sp4vt8KXGgMjjBUNZbeqK1c2zYXU6P2LtO
OsNss401qOOv00wlaHJdjOcACyDmN7tow3kFTNZBhb+hihJ154AM2WAgbUGz2fYe
p9paM9EsPT2YLicELxOpO/4uJyvaWXGfwszrEamEpIRqogjG/W/mn3bU7syl01yK
cAJxjY6BckuZPtCwPYkG76BZ6HsIpHcxVMsxP2zM7LTApSG1Lrf4gFGslUTudj6s
M+Y3YZSt6qH/XrGbFwDY/9HEndFujQQJWseeasOSDD+U45OzpY/HW6SCdLGIJKgs
NqQwMU6p5gnttxzIz/p7fErxxMqhvaj6wXhZ2ztB5OcrBuXeqXqpCFOivXu5tkyJ
ZlzAqsi0L4yX9PRFc4J5E72/7GbpzL8wE3TPJmvcfoZcvYAjDBuXUKD/dJji1XYw
sZCzuIH4PpJWSjnE/WxecSKmbMMWSIP0ALFqS36nWUaaFpHr0TEpipYGXfeLUQOO
eL9ZTX4yb41f+8kZStSzeJhl4oxL8w7zBXOljhGjFXes5uKf8A9OvgpWn3tONPGw
Sn9CSUewH+dGwWBZiltlEKnI3Dkj+pWPrADzWe/gtOOaRdgDtBZvu1gMRMH1FgRi
ynrDN/LidH0sZjLxKdc0kkYHa0cnRM/3zcaHQ9vAuZDWRtkfWsg=
=lZ9u
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Feb 2017 07:37:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon