The changelog for python-gnupg 0.3.5 lists this: "Added improved shell quoting to guard against shell injection." No details give, but it sounds like a pretty severe security issue. Please bump.
Guessing this one as user-assisted ACE, B2.
It was noted on oss-security that the fix in the 0.3.5 release is incomplete. This bug tracks upstream progress on really fixing the issue: https://code.google.com/p/python-gnupg/issues/detail?id=98#c4
0.3.6 released upstream, with (hopefully) complete fix for the issue. Please bump.
Does this Version in tree contain the fix and if so are we ready for stabilization? *python-gnupg-0.3.6 (10 Feb 2014) 6 7 10 Feb 2014; Tim Harder <radhermit@gentoo.org> +python-gnupg-0.3.6.ebuild, 8 +files/python-gnupg-0.3.6-skip-search-keys-tests.patch: 9 Version bump.
(In reply to Yury German from comment #4) > Does this Version in tree contain the fix and if so are we ready for > stabilization? OOPS Please ignore stabilization comment (did not remove from paste). > > *python-gnupg-0.3.6 (10 Feb 2014) > 6 > 7 10 Feb 2014; Tim Harder <radhermit@gentoo.org> > +python-gnupg-0.3.6.ebuild, > 8 +files/python-gnupg-0.3.6-skip-search-keys-tests.patch: > 9 Version bump.
Changing to ~2 as this was never stable. Fix would be in 0.3.6 upstream. Maintainer(s), please drop the vulnerable version. No stable versions, no GLSA Required.
(In reply to Yury German from comment #6) > Changing to ~2 as this was never stable. > > Fix would be in 0.3.6 upstream. > > Maintainer(s), please drop the vulnerable version. > > No stable versions, no GLSA Required. The version 0.3.5 was NEVER in portage and so we CAN'T drop it. I think this bug is closable.
> The version 0.3.5 was NEVER in portage and so we CAN'T drop it. I think > this bug is closable. To make things clear: we are talking about two issues here. The first one affects all previous versions, so 0.3.1 and 0.3.2 are affected and should be removed from portage. The second one was an incomplete fix in 0.3.5 and thus is mostly irrelevant for us, as we don't ship that.
Thank you for clarification.. Waiting for cleanup on 0.3.2 & 0.3.1-r1, before closing. No change to GLSA status as both are not stable.
(In reply to Hanno Boeck from comment #8) > > The version 0.3.5 was NEVER in portage and so we CAN'T drop it. I think > > this bug is closable. > > To make things clear: we are talking about two issues here. > The first one affects all previous versions, so 0.3.1 and 0.3.2 are affected > and should be removed from portage. The second one was an incomplete fix in > 0.3.5 and thus is mostly irrelevant for us, as we don't ship that. right. done 25 Mar 2014; Ian Delaney <idella4@gentoo.org> -python-gnupg-0.3.1-r1.ebuild, -python-gnupg-0.3.2.ebuild: rm old versions wrt sec Bug #500244 by hanno
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.