From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Mon, 26 Dec 2016 19:54:05 -0500 Message-ID: <20161227005405.GA13558@jasmine> References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44817) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cLg1q-0000kf-UX for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLg1n-00037q-TM for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:11 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43004) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cLg1n-00037N-OC for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:07 -0500 Received: from localhost (c-76-110-75-179.hsd1.fl.comcast.net [76.110.75.179]) by mail.messagingengine.com (Postfix) with ESMTPA id A55D07E2B2 for ; Mon, 26 Dec 2016 19:54:06 -0500 (EST) Content-Disposition: inline In-Reply-To: <20161226180844.GA12367@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote: > On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote: > > The list of our packages that use pycrypto: >=20 > [...] >=20 > > onionshare-0.9.2 >=20 > This comes through python-stem. I've contacted the stem maintainer about > this issue. Based on my discussion with the Stem maintainer, I removed pycrypto from the dependency graph of OnionShare and added a comment about removing the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively. --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhhu60ACgkQJkb6MLrK fwj2SRAAy/2clcDt6PRUVmct6+4Mmu/JDuIpy7NJ1ZbZTD4hFmal370jb4rt8TWA z7FXJE4nI5uwZ8jfdNoC88Qvvpa2WThAEJUSltGwcDw8Qd0FkJxmhz1b5FdhAc8g YWfxjCQgPuBl9U7uf3Os3wJ40sKF1zKgkIEjkipEBMCfLB1kMKl+u3nk4OvdQCfb IebkLfHLVlFcBU0VlXc0TgW2XitaRqULMHE4yteI7AnS+r+bo6zglMP1kl6pRwI2 5KKTGEyQho0lzDoK7FckX3mec0wCTKO9L4eXM7WBenjiiPo9xg8h++2tghYfooZw F+A87KGcZNtiUdLaYZrCd9ilhyNODI2CH78eItwBYHosl0xF4QdYiZQESjwBqBgL GSQeajKbp9liqeDnasF4Q/+Lar5lWwnd5rRv9GYHuZQwgQLZ0Ja8JUq4Pw108RAh JUcV+ET7k2Gmex6AXSNgauQft3gohUeTDmsPnokSTaVQOofZYrGsODcCbtaMJqOr vJzWFvAIvV1JYHzNnJX5eZBOZIzvLHIy/stfAcmzhgf/Vv8N5d2cBxI1yiOxz/ek SXigR7Wnkd+gxfKTxN+wx1Iyz9jZubDnhmse3yY3d0YYQD9nZZ73uFWUICuHyexb EGxNqkOzHx4yBis2QwrkXdZmvUJP6lyc7LCne2sKc4p5A+IGF1k= =9+VD -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--