From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Mon, 2 Jan 2017 23:59:47 -0500 Message-ID: <20170103045947.GA13839@jasmine> References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine> <20161227005405.GA13558@jasmine> <87k2adchzd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43546) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOHCV-0006oi-Bp for guix-devel@gnu.org; Mon, 02 Jan 2017 23:59:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOHCS-0006Jk-9U for guix-devel@gnu.org; Mon, 02 Jan 2017 23:59:55 -0500 Content-Disposition: inline In-Reply-To: <87k2adchzd.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote: > Leo Famulari skribis: > > Based on my discussion with the Stem maintainer, I removed pycrypto from > > the dependency graph of OnionShare and added a comment about removing > > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and > > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively. > > Thanks. Looks like another case of an important piece of software > lacking a maintainer… At this point, I think it's recommended to use the 'cryptography' module, which we have as python-cryptography. This seems to be where all the development energy is being spent. Debian adapted the upstream patch: https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d What do people think?