1.0.2 - 2015-09-27 ~~~~~~~~~~~~~~~~~~ * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia Käsper (Google Security Team)** for the report. Security team please fix summary. I am not sure what is appropriate there.
*** Bug 561694 has been marked as a duplicate of this bug. ***
@arches, please keywords and stabilize dev-python/cryptography-1.0.2 dev-python/cryptography-vectors-1.0.2 dev-python/idna-2.0 dev-python/ipaddress-1.0.14 dev-python/cffi-1.2.1
For now I guess that this undefined behavior could lead to a crash.
This also needs dev-python/pyasn1-0.1.8. All six stable on alpha.
amd64 stable
x86 stable
Stable for HPPA PPC64.
jlec, I have to remove mips@ from your stablereqs pretty often. Presumably you're not selecting with the "Add arches" button in bugzilla... maybe you need to update your script? (m68k, s390, and sh are also unstable)
arm stable
*** Bug 561372 has been marked as a duplicate of this bug. ***
@arches, please proceed or we need to drop stable keywords.
ppc stable
sparc stable
ia64 stable
if we pass here we can increase the dep in the openstack packages https://review.openstack.org/#/c/244199/
passed, feel free to update the openstack packages to <=dev-python/cryptography-1.1-r9999
commit c3c2f1823de4a8a9c479c2c874a846c4de30d3d9 Author: Justin Lecher <jlec@gentoo.org> Date: Thu Nov 12 10:26:21 2015 +0100 dev-python/cryptography: Drop vulnerable versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=561696 obsoletes: Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=561604 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=559648 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=521796 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3c2f1823de4a8a9c479c2c874a846c4de30d3d9
Tree is clean again.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No Thank you all. Closing as noglsa.