From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Mon, 02 Jan 2017 21:41:26 +0100 Message-ID: <87k2adchzd.fsf@gnu.org> References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine> <20161227005405.GA13558@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38499) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cO9QE-0007mW-MN for guix-devel@gnu.org; Mon, 02 Jan 2017 15:41:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cO9Q9-0001OG-Po for guix-devel@gnu.org; Mon, 02 Jan 2017 15:41:34 -0500 In-Reply-To: <20161227005405.GA13558@jasmine> (Leo Famulari's message of "Mon, 26 Dec 2016 19:54:05 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote: >> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote: >> > The list of our packages that use pycrypto: >>=20 >> [...] >>=20 >> > onionshare-0.9.2 >>=20 >> This comes through python-stem. I've contacted the stem maintainer about >> this issue. > > Based on my discussion with the Stem maintainer, I removed pycrypto from > the dependency graph of OnionShare and added a comment about removing > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively. Thanks. Looks like another case of an important piece of software lacking a maintainer=E2=80=A6 Ludo=E2=80=99.