From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Mon, 9 Jan 2017 19:09:09 -0500 Message-ID: <20170110000909.GI17253@jasmine> References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine> <20161227005405.GA13558@jasmine> <87k2adchzd.fsf@gnu.org> <20170103045947.GA13839@jasmine> <87bmvlvlhd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37655) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cQk03-0001Gt-UB for guix-devel@gnu.org; Mon, 09 Jan 2017 19:09:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cQjzy-0008Fo-UM for guix-devel@gnu.org; Mon, 09 Jan 2017 19:09:15 -0500 Content-Disposition: inline In-Reply-To: <87bmvlvlhd.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org On Thu, Jan 05, 2017 at 11:39:58AM +0100, Ludovic Courtès wrote: > Leo Famulari skribis: > > > On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote: > >> Leo Famulari skribis: > >> > Based on my discussion with the Stem maintainer, I removed pycrypto from > >> > the dependency graph of OnionShare and added a comment about removing > >> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and > >> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively. > >> > >> Thanks. Looks like another case of an important piece of software > >> lacking a maintainer… > > > > At this point, I think it's recommended to use the 'cryptography' > > module, which we have as python-cryptography. This seems to be where all > > the development energy is being spent. > > > > Debian adapted the upstream patch: > > > > https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d > > > > What do people think? > > Maybe we should apply this patch as well as progressively migrate to > python-cryptography whenever possible? I applied the Debian patch in aa21c764d65068783ae31febee2a92eb3d138a24.