From ${URL} : please assign a CVE to this signature forgery vulnerability in python-rsa. It allows an attacker to fake signatures for arbitrary messages for any key with low exponent "e" (like the common 3). Writeup: https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ Fix: https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff Project: https://pypi.python.org/pypi/rsa @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
We wait until upstream merges the patch.
commit 180d405a41b277428974932c8b439048fe05ac36 Author: Justin Lecher <jlec@gentoo.org> Date: Thu Jan 7 09:56:09 2016 +0100 dev-python/rsa: Backport patch for CVS-2016-1494 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=570990 Package-Manager: portage-2.2.26 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=180d405a41b277428974932c8b439048fe05ac36
@arches, please stabilize =dev-python/rsa-3.2.3-r1
amd64 stable
@arches, please stabilize =dev-python/rsa-3.2.3-r1 =dev-python/oauth2client-1.5.2
@arches, please stabilize =dev-python/rsa-3.2.3-r1 =dev-python/oauth2client-1.5.2 =dev-python/httplib2-0.9.1
x86 done
arm stable
CVE-2016-1494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1494): The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
@maintainer(s), please clean the vulnerable versions from the tree. GLSA Vote: Yes. New GLSA request submitted.
please clean vulnerable versions.
commit 5b270563043845c98a12974a16abfb92f555ebd2 (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Sat Nov 26 22:43:51 2016 +0100 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Sat Nov 26 22:44:09 2016 +0100 dev-python/rsa: Clean up vulnerable versions. Gentoo-Bug: https://bugs.gentoo.org/570990 Package-Manager: portage-2.3.0 dev-python/rsa/Manifest | 2 -- dev-python/rsa/rsa-3.1.4-r1.ebuild | 33 --------------------------------- dev-python/rsa/rsa-3.2.3.ebuild | 34 ---------------------------------- dev-python/rsa/rsa-3.2.ebuild | 34 ---------------------------------- 4 files changed, 103 deletions(-) delete mode 100644 dev-python/rsa/rsa-3.1.4-r1.ebuild delete mode 100644 dev-python/rsa/rsa-3.2.3.ebuild delete mode 100644 dev-python/rsa/rsa-3.2.ebuild
Security, please do the deed. Thanks.