-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : python-crypto Version : 2.6-4+deb7u8
This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue described in CVE-2018-6594 is fixed. It turns out that the fix is partial and upstream has decided not to fix the issue as it would break compatibility and that ElGamal encryption was not intended to work on its own. The recommendation is still to upgrade python-crypto packages. In addition please take into account that the fix is not complete. If you have an application using python-crypto is implementing ElGamal encryption you should consider changing to some other encryption method. There will be no further update to python-crypto for this specific CVE. A fix would break compatibility, the problem has been ignored by regular Debian Security team due to its minor nature and in addition to that we are close to the end of life of the Wheezy security support. CVE-2018-6594: python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack). We recommend that you upgrade your python-crypto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLEasACgkQKpJZkldk Svpnbg/+IF7MHoZMtr9FEjzy/KWbIWlztoAiEwtrf8OC2zwoKwDF91F0hJXF6z9w sWcaIsUiL6mj/j/QlOYMVSpJCN6escC2truu+UW5uVHBtEL+ng38s3CqyPMgy/vf t37pEqti9mHlJoPzNPdSaLXT60LMSpt5mb8mOLP1mc9lDr22PrRF//8USrbU2Iqf 8iy3vIIo+hmSbATHlo1RQzvkzLZQ1unA6dQ747QOWGQuPxPtXc1jCJUymp8hVB38 /pKEzcsAakvhyZGWD2Nlo6jKVrFdGynXoq5iYGz8Knzhw+AUAJyURlA/UIubsRnT 5RTFPV9cWOeiOITAtP2aTp+P10zXJsj2icE2K8ujKIcp3kRRzKYbxnOsBb/CCGhs 2SWsASPswKYgJY4bHGpU9OVs7D/eLXNrjDa4e1yjQGQqp+QfTI705hUjSbj1XxYU v1ZqXrB/rITx+KaxCCIwCmjaPy5Llv0Hrqk+jlIa2oKf7gffrpb38LjOxMf6SFbL c1/7YG74sS4w/9VDpydcVoEHwDTFx04wpBT/nXxOrAPGctE7wZRvBHYDkVaRABuS L5nZnvTYZfmcKySp0xcG2XLknE9UYSjNSi5h9BhivFxb70o160YboIX127SYH6Bm K99oYuMlw21ITP5lfv12LEJcHZOz6rLO4k0t4qyUjodL82DwQcQ= =pY2g -----END PGP SIGNATURE-----