Bug#1023030: marked as done (pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?)
Your message dated Wed, 11 Jan 2023 19:00:14 + with message-id and subject line Bug#1023030: fixed in pysha3 1.0.2-5 has caused the Debian Bug report #1023030, regarding pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: pysha3 Version: 1.0.2-4.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team Forwarded: https://github.com/tiran/pysha3/issues/29 pysha3 is affected by CVE-2022-37454, a security issue in Keccak See: https://github.com/python/cpython/issues/98517 https://mouha.be/sha-3-buffer-overflow/ This is a backport module to bring a feature from Python 3.6 back to older versions. It seems very dead upstream, should we just remove it from the archive? There is currently one reverse-dependency, python-opentimestamps, and I think we can trivially migrate that to use hashlib. SR --- End Message --- --- Begin Message --- Source: pysha3 Source-Version: 1.0.2-5 Done: Ben Finney We believe that the bug you reported is fixed in the latest version of pysha3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ben Finney (supplier of updated pysha3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 01 Nov 2022 16:11:42 +1100 Source: pysha3 Binary: python3-sha3 python3-sha3-dbgsym Architecture: source amd64 Version: 1.0.2-5 Distribution: unstable Urgency: medium Maintainer: Ben Finney Changed-By: Ben Finney Description: python3-sha3 - SHA-3 (Keccak) hash implementation — Python 3 Closes: 954470 1023030 Changes: pysha3 (1.0.2-5) unstable; urgency=medium . * The “Sarah Ratley” release. * Acknowledge non-maintainer upload “1.0.2-4.1”. Thanks to Emmanuel Arias for the upload. * Acknowledge non-maintainer upload “1.0.2-4.1+deb11u1”. Thanks to Stefano Rivera for the upload. * Use only supported Python versions in the AutoPkgTest. Closes: bug#954470. * Use the automatic package-name placeholder in AutoPkgTest definition. * debian/patches/CVE-2022-37454.integer-and-buffer-overflow.patch: * Correct Keccak implementation for an integer and buffer overflow. Closes: bug#1023030. * Correctly describe maintenance of this Debian source package. * Declare Debhelper compatibility level 13. * Declare conformance to “Standards-Version: 4.6.1”. No additional changes required. * Specify the commands for running the package test suite. * debian/patches/prioritise-setuptools.patch: * Prioritise the Setuptools implementation of Command. * Remove obsolete field from DEP-12 metadata. * Use the GitHub project URL as the Homepage field value. * Override false positive Lintian check for VCS-* field names. Checksums-Sha1: 0669057a77e4d115934d19aeae06f339f4c952ac 1998 pysha3_1.0.2-5.dsc 67b116442cc710ba25d5cc5288bcdfb4f76a3889 11536 pysha3_1.0.2-5.debian.tar.xz 6f11798dc6f48609459f083702ad435e2e8f22fc 8132 pysha3_1.0.2-5_amd64.buildinfo 7f98cc085911c35ca2950981115a407382e3abd2 103252 python3-sha3-dbgsym_1.0.2-5_amd64.deb 13712bd4fef1c9ceebdf5e98a0dd9829f65900c0 43384 python3-sha3_1.0.2-5_amd64.deb Checksums-Sha256: 1d435aa121e8b348b5f58b15f9b295ce13b8e55d3c4919bd2e88ffee759e064b 1998 pysha3_1.0.2-5.dsc 29db2a2cfca38eb01f956f489201a4ecdbc2c0adf4f35be77d1026bfc9d39202 11536 pysha3_1.0.2-5.debian.tar.xz 5070e37e50909c9a787459c0e589d21e3747c3d1d3cb6e21a89ce901e8a6163d 8132 pysha3_1.0.2-5_amd64.buildinfo 5cff284b5bb5ae4ef3372b103340146c08fcc930221f9b07b99137f0a9562d0c 103252 python3-sha3-dbgsym_1.0.2-5_amd64.deb b507dd181e8a2e8d05cb0509f46a941af7dc507136afe478bdee66a22d81bd0e 43384 python3-sha3_1.0.2-5_amd64.deb Files: 731620506a9c8287169b6e8fab87c0f1 1998 python optional pysha3_1.0.2-5.dsc 77cf3865b6d72d3d269fce6a41825418 11536 python optional pysha3_1.0.2-5.debian.tar.xz c1fcf3d083a758c66dd6165ad4de5b6d 8132 python
Bug#1023030: marked as done (pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?)
Your message dated Sat, 05 Nov 2022 15:32:59 + with message-id and subject line Bug#1023030: fixed in pysha3 1.0.2-4.1+deb11u1 has caused the Debian Bug report #1023030, regarding pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: pysha3 Version: 1.0.2-4.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team Forwarded: https://github.com/tiran/pysha3/issues/29 pysha3 is affected by CVE-2022-37454, a security issue in Keccak See: https://github.com/python/cpython/issues/98517 https://mouha.be/sha-3-buffer-overflow/ This is a backport module to bring a feature from Python 3.6 back to older versions. It seems very dead upstream, should we just remove it from the archive? There is currently one reverse-dependency, python-opentimestamps, and I think we can trivially migrate that to use hashlib. SR --- End Message --- --- Begin Message --- Source: pysha3 Source-Version: 1.0.2-4.1+deb11u1 Done: Stefano Rivera We believe that the bug you reported is fixed in the latest version of pysha3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefano Rivera (supplier of updated pysha3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 29 Oct 2022 15:13:09 +0200 Source: pysha3 Architecture: source Version: 1.0.2-4.1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Ben Finney Changed-By: Stefano Rivera Closes: 1023030 Changes: pysha3 (1.0.2-4.1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix a buffer overflow issue in SHA-3 CVE-2022-37454 (Closes: #1023030). Checksums-Sha1: 3f0237ed6dc3a66eddd8c906deba077c729bbe3b 1458 pysha3_1.0.2-4.1+deb11u1.dsc 638d3d0a3545520dedbd91bcf8120bad1a89f74a 829192 pysha3_1.0.2.orig.tar.gz fc1f1f308aaac7c855df696fef6255fa1bb8070c 9756 pysha3_1.0.2-4.1+deb11u1.debian.tar.xz 1a308c67a85db9ad38161356c410494084011769 6908 pysha3_1.0.2-4.1+deb11u1_source.buildinfo Checksums-Sha256: 82093ab5b86ab8c8df67f6d9ba53c8bdb1aae489d2b6ae013e46bcfca7d4417e 1458 pysha3_1.0.2-4.1+deb11u1.dsc fe988e73f2ce6d947220624f04d467faf05f1bbdbc64b0a201296bb3af92739e 829192 pysha3_1.0.2.orig.tar.gz ca0afe5ef27304e5a420d00ef08bba2dcf07cf292663b8b026bb6dc17219b08d 9756 pysha3_1.0.2-4.1+deb11u1.debian.tar.xz 4418a329040aef535a6e6650cd4a0e7d5226f4fd52fde38cc2d04fb4daa066b0 6908 pysha3_1.0.2-4.1+deb11u1_source.buildinfo Files: 0e87afad11b34508fe73d3d038ccb7fc 1458 python optional pysha3_1.0.2-4.1+deb11u1.dsc 59cd2db7a9988c1f3f6aee40145e0c96 829192 python optional pysha3_1.0.2.orig.tar.gz 82b5f7b78262a417ea8f1cc6aea10476 9756 python optional pysha3_1.0.2-4.1+deb11u1.debian.tar.xz 0fda152bc57d3fb68bdf709b7cc3da3b 6908 python optional pysha3_1.0.2-4.1+deb11u1_source.buildinfo -BEGIN PGP SIGNATURE- iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCY114gxQcc3RlZmFub3JA ZGViaWFuLm9yZwAKCRBHew2wJjpU2AYDAP0bpItVHLEcH3/PIWnh1gA84EoQ618b ZxDIGkzzP52Q6QEAu3K1PUrM6j8WFVV7u2QdfOuxwNgx/yprY2AmSRKKPQk= =5IFW -END PGP SIGNATURE End Message ---
Bug#1023030: marked as done (pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian?)
Your message dated Tue, 01 Nov 2022 00:01:57 + with message-id and subject line Bug#1023033: Removed package(s) from unstable has caused the Debian Bug report #1023030, regarding pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: pysha3 Version: 1.0.2-4.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team Forwarded: https://github.com/tiran/pysha3/issues/29 pysha3 is affected by CVE-2022-37454, a security issue in Keccak See: https://github.com/python/cpython/issues/98517 https://mouha.be/sha-3-buffer-overflow/ This is a backport module to bring a feature from Python 3.6 back to older versions. It seems very dead upstream, should we just remove it from the archive? There is currently one reverse-dependency, python-opentimestamps, and I think we can trivially migrate that to use hashlib. SR --- End Message --- --- Begin Message --- Version: 1.0.2-4.2+rm Dear submitter, as the package pysha3 has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1023033 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)--- End Message ---