From secunia security advisory at $URL: Description A weakness has been reported in PyCrypto, which can be exploited by malicious people to conduct brute force attacks. The weakness is caused due to an error when generating keys using the ElGamal scheme which may result in a reduced key space and can be exploited to derive the private key. The weakness is reported in versions 2.5 and prior. Solution Update to version 2.6.
So, let's stabilize 2.6? Thanks to Maxim for bumping it.
Thanks to maksbotan for fast bump. Arches, please test and mark stable: =dev-python/pycrypto-2.6 Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
pycrypto-2.6 is no longer available. >>> Downloading 'http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz' --2012-05-29 11:00:37-- http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz Распознаётся ftp.dlitz.net... 75.119.251.37 Подключение к ftp.dlitz.net|75.119.251.37|:80... соединение установлено. HTTP-запрос отправлен. Ожидание ответа... 403 Forbidden 2012-05-29 11:00:38 ОШИБКА 403: Forbidden.
http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz works fine for me.
arm stable
alpha/ia64/m68k/s390/sh/sparc stable
ppc64 done
ppc done
Thanks, folks. GLSA Vote: yes.
GLSA vote: yes. Filing new glsa request.
CVE-2012-2417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2417): PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key.
This issue was resolved and addressed in GLSA 201206-23 at http://security.gentoo.org/glsa/glsa-201206-23.xml by GLSA coordinator Sean Amoss (ackle).