Summary: | <dev-python/pycrypto-2.6 : ElGamal Key Generation Weakness (CVE-2012-2417) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/49263/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-05-26 12:07:59 UTC
So, let's stabilize 2.6? Thanks to Maxim for bumping it. Thanks to maksbotan for fast bump. Arches, please test and mark stable: =dev-python/pycrypto-2.6 Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable Stable for HPPA. pycrypto-2.6 is no longer available. >>> Downloading 'http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz' --2012-05-29 11:00:37-- http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz Распознаётся ftp.dlitz.net... 75.119.251.37 Подключение к ftp.dlitz.net|75.119.251.37|:80... соединение установлено. HTTP-запрос отправлен. Ожидание ответа... 403 Forbidden 2012-05-29 11:00:38 ОШИБКА 403: Forbidden. http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz works fine for me. arm stable alpha/ia64/m68k/s390/sh/sparc stable ppc64 done ppc done Thanks, folks. GLSA Vote: yes. GLSA vote: yes. Filing new glsa request. CVE-2012-2417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2417): PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key. This issue was resolved and addressed in GLSA 201206-23 at http://security.gentoo.org/glsa/glsa-201206-23.xml by GLSA coordinator Sean Amoss (ackle). |