From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Mon, 26 Dec 2016 12:43:44 -0500 Message-ID: <20161226174344.GA10842@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53003) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cLZgV-0005Vm-JI for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLZgS-0001D1-8e for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:43 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36732) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cLZgR-0001Cl-VH for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:40 -0500 Received: from localhost (c-76-110-75-179.hsd1.fl.comcast.net [76.110.75.179]) by mail.messagingengine.com (Postfix) with ESMTPA id E10222452C for ; Mon, 26 Dec 2016 13:07:38 -0500 (EST) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The pycrypto library contains at least one dangerous buffer overflow: https://github.com/dlitz/pycrypto/issues/176 And the pycrypto project is inactive: https://github.com/dlitz/pycrypto/issues/173 The list of our packages that use pycrypto: python-axolotl-0.1.35 onionshare-0.9.2 python-flask-restful-swagger-0.19 python-swiftclient-2.6.0 jrnl-1.9.7 ansible-2.1.0.0 --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhhVswACgkQJkb6MLrK fwggRQ//R0bRMsZY3+EFCL9IyueknWR+uJ9FOvq4GNPKmpfPZcbtIX2Ku23A+2KT mX0iVbfAzUUROsW8mZRFXvzw1UCHOVNk9Fizq1BSKX6Cx0eIIC7qCXDUZqBCguvX 5ubaUwhh8jwetktO56HUEW9DuzPuC/wsTnEnzOXn9nOkZIaSmGrkjN3ytJ9KJ1GI 2WmpalnYqtPPoVtYIYNzbAFNuuQ75L6ZiRnOnWckOlHWU0TE2UpiZ/jRyvcK2M+M rCtXSTSEvKbAYqUIa+UMjTWN2D9wodmxnB3RQ3YFbX46l128HylSiusrHikxXaPy tCfqBtY/9T0ha0fBXBgF7gupUl6TPJvHghWv/KXezGHOtL41O6DuiXCQl0Kzxwat V64QeGvz+d90DkD3SbOKsJjqkrhg8OdjfhbZFJLgn3UI6Sx85v0V8fEH5TPAssqw oDs5C3M7JZwJC20t4e0TSjtS1M+cXwO07Wox3fiOE45UO7czAPcMa0T6hli6k7ls x5Q+PD1u5nL27zLzy2E3gvsSIKPvPOfTlVKhXclLor2o1FpHl6A31qdw8ZEMSFct YshpE/5pFB43Qo3gzsG5fAYvjtx3teFx8LwdCLCWYXhXzBx60r9//luCLvzYIced 4oDkWBJ1f2kA3IRJnXrIRpXl2aWsD0Ocg/uTIatNG1tisnoSWVM= =wQX+ -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--