Bug#849698: jessie-pu: package python-crypto/2.6.1-5+deb8u1
Control: tags -1 + confirmed
On Tue, 2017-01-03 at 14:05 +0100, Sebastian Ramacher wrote:
> Hi
>
> On 2017-01-03 11:05:40, Sebastian Ramacher wrote:
> > On 2017-01-01 20:55:40, Sebastian Ramacher wrote:
[..]
> > > >
> > > > On Thu, 2016-12-29 at 23:15 +0100, Sebastian Ramacher wrote:
> > > > > I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point release.
> > > > > The issue was marked as no-dsa.
> > > > >
> > > > > The proposed debdiff is attached. The same patch was applied to the package in
> > > > > unstable.
> > > >
> > > > + * Throw exception when IV is used with ECB or CTR (CVE-2013-7459)
[...]
> > Seems like python-paramiko broke in wheezy-lts (#850025). I will come back to
> > you once I've checked if stable is affected as well.
>
> New debdiff is attached. Instead of throwing an exception the IV is simply
> ignored and a warning is displayed.
The patch itself still refers to exceptions in its metadata, fwiw.
Please go ahead.
Regards,
Adam
Reply to: