Re: [SECURITY] [DLA 1283-1] python-crypto security update
Ola Lundqvist <ola@inguza.com> writes:
> Do we have a fix that solve the problem? If we do we can simply upload a
> new version with the fix and describe it accordingly.
> If it is fixed in some cases it may be considered fixed.
>
> I have not checked the details about this specific problem.
There are no known fixes.
Upstream argues that a fix is unnecessarily, because the key
vulnerability is only a problem when using the encryption, which is not
"is not meant to be used by itself". Furthermore they say fixing this
will break "backward compatibility with PGP".
For full details, read the upstream bug report:
https://github.com/Legrandin/pycryptodome/issues/90
Or, put another way, upstream renamed the "encrypt" function to
"_encrypt" a while back to indicate this should not be used. I think it
really depends on your point of view if this is sufficient to fix a
security vulnerability in key creation (another function) when used
directly with encryption.
--
Brian May <bam@debian.org>
Reply to: