Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Yes I forgot to push my changes. Thanks for handling it for me. // Ola On 12 April 2018 at 14:14, Ola Lundqvist wrote: > Hi > > I thought I did. Maybe I forgot to push my changes. > > Thanks for resolving it. > > // Ola > > On 11 April 2018 at 22:18, Antoine Beaupré

Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi I thought I did. Maybe I forgot to push my changes. Thanks for resolving it. // Ola On 11 April 2018 at 22:18, Antoine Beaupré wrote: > On 2018-04-10 14:33:28, Ola Lundqvist wrote: > > Hi Salvatore > > > > Great. Thanks. Then we do not need to do anything more to

Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

On 2018-04-10 14:33:28, Ola Lundqvist wrote: > Hi Salvatore > > Great. Thanks. Then we do not need to do anything more to libgcrypt. I'll > remove it from dla-needed.txt. Assuming you forgot to do so, I went ahead and removed it from dla-needed.txt and marked it as no-dsa in wheezy. A. --

Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Salvatore Great. Thanks. Then we do not need to do anything more to libgcrypt. I'll remove it from dla-needed.txt. // Ola On 9 April 2018 at 21:06, Salvatore Bonaccorso wrote: > Hi Ola, > > On Mon, Apr 09, 2018 at 08:59:32PM +0200, Ola Lundqvist wrote: > > Hi all > > > >

Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Ola, On Mon, Apr 09, 2018 at 08:59:32PM +0200, Ola Lundqvist wrote: > Hi all > > I found another issue that looks very similar. It is > https://security-tracker.debian.org/tracker/CVE-2018-6594 > > Should we treat it the same way, marking it as ignored? I guess you mean CVE-2018-6829? If

libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi all I found another issue that looks very similar. It is https://security-tracker.debian.org/tracker/CVE-2018-6594 Should we treat it the same way, marking it as ignored? Best regards // Ola On 9 April 2018 at 07:26, Salvatore Bonaccorso wrote: > Hi Brian, > > On Fri,

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Brian, On Fri, Apr 06, 2018 at 07:06:30PM +1000, Brian May wrote: > Ola Lundqvist writes: > > > This is what I think we should do. > > > > 1) Send a new DLA telling that the fix is only partial and not complete and > > in addtion that elgamal encryption is not supported by

Re: [SECURITY] [DLA 1283-1] python-crypto security update

I think this sounds like a good plan. Sent from a phone Den fre 6 apr 2018 11:06Brian May skrev: > Ola Lundqvist writes: > > > This is what I think we should do. > > > > 1) Send a new DLA telling that the fix is only partial and not complete > and > > in

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Ola Lundqvist writes: > This is what I think we should do. > > 1) Send a new DLA telling that the fix is only partial and not complete and > in addtion that elgamal encryption is not supported by the library and > should not be used. > > 2) Mark the CVE as no-dsa/ignored in the

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Brian This is what I think we should do. 1) Send a new DLA telling that the fix is only partial and not complete and in addtion that elgamal encryption is not supported by the library and should not be used. 2) Mark the CVE as no-dsa/ignored in the security database. Suggested DLA text. Any

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Ola Lundqvist writes: > Do we have a fix that solve the problem? If we do we can simply upload a > new version with the fix and describe it accordingly. > If it is fixed in some cases it may be considered fixed. > > I have not checked the details about this specific problem.

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi Do we have a fix that solve the problem? If we do we can simply upload a new version with the fix and describe it accordingly. If it is fixed in some cases it may be considered fixed. I have not checked the details about this specific problem. // Ola On 2 April 2018 at 10:22, Brian May

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Ola Lundqvist writes: > We can simply send a DLA-1283-2 telling that it was not fixed. Do we all agree that this is not fixed? It really depends on the user's of this library and how they use it. Lets assume we agree it isn't fixed. I cannot think how to word this advisory. I

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Hi We can simply send a DLA-1283-2 telling that it was not fixed. // Ola On 29 March 2018 at 21:34, Antoine Beaupré wrote: > On 2018-03-27 07:38:43, Brian May wrote: > > Antoine Beaupré writes: > > > >> I'm not sure. The security team marked

Re: [SECURITY] [DLA 1283-1] python-crypto security update

On 2018-03-27 07:38:43, Brian May wrote: > Antoine Beaupré writes: > >> I'm not sure. The security team marked that as "no-dsa (minor issue)" >> for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't >> we reuse the fixes from cryptodome to get this

Re: [SECURITY] [DLA 1283-1] python-crypto security update

Antoine Beaupré writes: > I'm not sure. The security team marked that as "no-dsa (minor issue)" > for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't > we reuse the fixes from cryptodome to get this working properly? Or is > this what you say breaks

Re: [SECURITY] [DLA 1283-1] python-crypto security update

On 2018-02-20 07:33:27, Brian May wrote: > Any comments? Where should we go from here? I'm not sure. The security team marked that as "no-dsa (minor issue)" for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't we reuse the fixes from cryptodome to get this working properly? Or

Re: [SECURITY] [DLA 1283-1] python-crypto security update

My information, as communicated by Erik-Oliver Blass via private email is that this issue was not fixed upstream. I had assumed when upstream said "I will close this issue, since this fix is in v3.4.10." in https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362907413 it was meant