From ${URL} : In PyCrypto before v2.6.1, the Crypto.Random PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers. An application may be affected if, within 100 milliseconds, it performs the following steps (which may be summarized as "read-fork-read-read"): 1. Read from the Crypto.Random PRNG, causing an internal reseed; 2. Fork the process and invoke Crypto.Random.atfork() in the child; 3. Read from the Crypto.Random PRNG again, in at least two different processes (parent and child, or multiple children). Only applications that invoke Crypto.Random.atfork() and perform the above steps are affected by this issue. Other applications are unaffected. git repo: https://github.com/dlitz/pycrypto/ v2.6.1 tag id: ebb470d3f0982702e3e9b7fb9ebdaeed95903aaf v2.6.1 commit id: 7fd528d03b5eae58eef6fd219af5d9ac9c83fa50 References: http://seclists.org/oss-sec/2013/q4/122 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+ 20 Oct 2013; Dirkjan Ochtman <djc@gentoo.org> +pycrypto-2.6.1.ebuild: + Version bump pycrypto for bug 488630. This should be fine for stabilization.
CVE-2013-1445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1445): The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
(In reply to Dirkjan Ochtman from comment #1) > + 20 Oct 2013; Dirkjan Ochtman <djc@gentoo.org> +pycrypto-2.6.1.ebuild: > + Version bump pycrypto for bug 488630. > > This should be fine for stabilization. Good. Arches, please test and mark stable =dev-python/pycrypto-2.6.1 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 / x86 stable
ppc stable
alpha stable
ppc64 stable
arm stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Cleanup done.
Cleanup completed Awaiting GLSA Vote
Thanks, everyone GLSA vote: no
GLSA vote: no. Closing noglsa.
