Debian Security Advisory

DLA-1283-2 python-crypto -- LTS security update

Date Reported:
09 Apr 2018
Affected Packages:
python-crypto
Vulnerable:
Yes
Security database references:
No other external database security references currently available.
More information:

This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue described in CVE-2018-6594 is fixed. It turns out that the fix is partial and upstream has decided not to fix the issue as it would break compatibility and that ElGamal encryption was not intended to work on its own.

The recommendation is still to upgrade python-crypto packages. In addition please take into account that the fix is not complete. If you have an application using python-crypto is implementing ElGamal encryption you should consider changing to some other encryption method.

There will be no further update to python-crypto for this specific CVE. A fix would break compatibility, the problem has been ignored by regular Debian Security team due to its minor nature and in addition to that we are close to the end of life of the Wheezy security support.

  • CVE-2018-6594

    python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack).

We recommend that you upgrade your python-crypto packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

For Debian 6 Squeeze, these issues have been fixed in python-crypto version 2.6-4+deb7u8