Summary: | <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | WGH <wgh> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | python |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2016/q4/766 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=610334 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: |
=dev-python/pycrypto-2.6.1-r2
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 606278 |
Description
WGH
2016-03-05 08:43:46 UTC
@sec team Can you confirm? Yes, the vulnerability is real. Upstream fix is https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 @ Maintainer(s): Please consider a snapshot release or rev bump to include the fix. Meanwhile we should consider removal, see https://github.com/dlitz/pycrypto/issues/173 -- Dead project and depending application should migrate to other libraries. @sec, please start stabilising pycrypto-2.6.1-r2 commit 76964454e0a54e9fc2bb67f29c89155ca2c05a96 Author: David Seifert <soap@gentoo.org> Date: Fri Jan 20 17:56:09 2017 +0100 dev-python/pycrypto: Add patch for CVE-2013-7459 Gentoo-bug: 576494 Thank you for the bump! @ Arches, please test and mark stable: =dev-python/pycrypto-2.6.1-r2 Stable on alpha. Stable for PPC64. Stable for HPPA. amd64 stable x86 stable ppc stable sparc stable ia64 stable arm stable, all arches done. GLSA request filed. This issue was resolved and addressed in GLSA 201702-14 at https://security.gentoo.org/glsa/201702-14 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2! Arches and Maintainer(s), Thank you for your work. |