[SECURITY] [DLA 1283-2] python-crypto security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1283-2] python-crypto security update
From: Brian May <bam@debian.org>
Date: Mon, 9 Apr 2018 17:11:52 +1000
Message-id: <[🔎] 20180409071152.xsbymd4r4444oxvr@silverfish.pri>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : python-crypto
Version        : 2.6-4+deb7u8


This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue
described in CVE-2018-6594 is fixed. It turns out that the fix is partial and
upstream has decided not to fix the issue as it would break compatibility and
that ElGamal encryption was not intended to work on its own.

The recommendation is still to upgrade python-crypto packages. In addition
please take into account that the fix is not complete. If you have an
application using python-crypto is implementing ElGamal encryption you should
consider changing to some other encryption method.

There will be no further update to python-crypto for this specific CVE. A fix
would break compatibility, the problem has been ignored by regular Debian
Security team due to its minor nature and in addition to that we are close to
the end of life of the Wheezy security support.

CVE-2018-6594:

python-crypto generated weak ElGamal key parameters, which allowed attackers to
obtain sensitive information by reading ciphertext data (i.e., it did not have
semantic security in face of a ciphertext-only attack).

We recommend that you upgrade your python-crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLEasACgkQKpJZkldk
Svpnbg/+IF7MHoZMtr9FEjzy/KWbIWlztoAiEwtrf8OC2zwoKwDF91F0hJXF6z9w
sWcaIsUiL6mj/j/QlOYMVSpJCN6escC2truu+UW5uVHBtEL+ng38s3CqyPMgy/vf
t37pEqti9mHlJoPzNPdSaLXT60LMSpt5mb8mOLP1mc9lDr22PrRF//8USrbU2Iqf
8iy3vIIo+hmSbATHlo1RQzvkzLZQ1unA6dQ747QOWGQuPxPtXc1jCJUymp8hVB38
/pKEzcsAakvhyZGWD2Nlo6jKVrFdGynXoq5iYGz8Knzhw+AUAJyURlA/UIubsRnT
5RTFPV9cWOeiOITAtP2aTp+P10zXJsj2icE2K8ujKIcp3kRRzKYbxnOsBb/CCGhs
2SWsASPswKYgJY4bHGpU9OVs7D/eLXNrjDa4e1yjQGQqp+QfTI705hUjSbj1XxYU
v1ZqXrB/rITx+KaxCCIwCmjaPy5Llv0Hrqk+jlIa2oKf7gffrpb38LjOxMf6SFbL
c1/7YG74sS4w/9VDpydcVoEHwDTFx04wpBT/nXxOrAPGctE7wZRvBHYDkVaRABuS
L5nZnvTYZfmcKySp0xcG2XLknE9UYSjNSi5h9BhivFxb70o160YboIX127SYH6Bm
K99oYuMlw21ITP5lfv12LEJcHZOz6rLO4k0t4qyUjodL82DwQcQ=
=pY2g
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1341-1] sdl-image1.2 security update
Next by Date: [SECURITY] [DLA 1342-1] ldap-account-manager security update
Previous by thread: [SECURITY] [DLA 1341-1] sdl-image1.2 security update
Next by thread: [SECURITY] [DLA 1342-1] ldap-account-manager security update
Index(es):
- Date
- Thread