Hi! Our current dev-python/pycrypto-2.6.1-r2 is vulnerable to CVE-2018-6594 [1]. Rather than just patching [2] the issue [3], I would consider hard-masking the package for removal because it's dead [4] and unfixed upstream for 5 years [5] and the world is moving on to substitutes like dev-python/pycryptodome. What do you think? Best, Sebastian [1] https://www.cvedetails.com/cve/CVE-2018-6594/ [2] https://github.com/dlitz/pycrypto/pull/256 [3] https://github.com/dlitz/pycrypto/issues/253 [4] https://github.com/dlitz/pycrypto/issues/238 [5] https://github.com/dlitz/pycrypto/commits/master
PS: Found the package in package.deprecated just now as well — https://cgit.gentoo.org/repo/gentoo.git/commit/?id=ce0d379f4bb4b1e1d32e927f5856df43a3a25ac6
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6046bd7f9447639fb15fc6129c7b5581a863050 commit b6046bd7f9447639fb15fc6129c7b5581a863050 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-04-18 09:38:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-04-18 09:39:13 +0000 package.mask: Last rite dev-python/pycrypto Bug: https://bugs.gentoo.org/703682 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.deprecated | 6 ------ profiles/package.mask | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09301ae9f547c534d3120f2b24f376f7931b6ec6 commit 09301ae9f547c534d3120f2b24f376f7931b6ec6 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-23 09:28:17 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-23 09:29:27 +0000 dev-python/pycrypto: Remove last-rited pkg Closes: https://bugs.gentoo.org/703682 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pycrypto/Manifest | 1 - .../files/pycrypto-2.6.1-CVE-2013-7459.patch | 88 ---------------------- .../files/pycrypto-2.6.1-cross-compile.patch | 13 ---- dev-python/pycrypto/metadata.xml | 34 --------- dev-python/pycrypto/pycrypto-2.6.1-r2.ebuild | 76 ------------------- profiles/base/package.use.mask | 1 - profiles/package.mask | 6 -- 7 files changed, 219 deletions(-)
I'm sorry for accidentally closing it.
(In reply to Michał Górny from comment #4) > I'm sorry for accidentally closing it. No worries. GLSA vote: yes
This issue was resolved and addressed in GLSA 202007-62 at https://security.gentoo.org/glsa/202007-62 by GLSA coordinator Sam James (sam_c).