| Summary: | python-cryptography new security issue fixed in 1.0.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, makowski.mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/664370/ | ||
| Whiteboard: | has_procedure mga5-64-ok mga5-32-ok advisory | ||
| Source RPM: | python-cryptography-0.7.2-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-11-13 16:28:57 CET
I don't see how to solve thiswith only patches to our mga5 version, too much commit involved. so I suggest to update to 1.0.2 Not 100% sure that python-cryptography-0.7.2-1.mga5.src.rpm have tis security issue, but in case here are the updates in 5/testing :
python-cryptography-vectors-1.0.2-1.mga5
python-cryptography-1.0.2-1.mga5
and python-pyasn1-0.1.8-1.mga5 (because python-cryptography-1.0.2 need python-pyasn1-0.1.8)
Packages in 5/testing :
python-cryptography-1.0.2-1.mga5.{x86_64,i586}
python3-cryptography-1.0.2-1.mga5.{x86_64,i586}
python-cryptography-vectors-1.0.2-1.mga5.noarch
python3-cryptography-vectors-1.0.2-1.mga5.noarch
python-pyasn1-0.1.8-1.mga5.noarch
python3-pyasn1-0.1.8-1.mga5.noarchAssignee:
makowski.mageia =>
security Advisory: ======================== Updated python-cryptography packages fix security vulnerability: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse (rhbz#1267548). The python-cryptography and python-cryptography-vectors packages have been updated to version 1.0.2 and python-pyasn1 has been updated to version 0.1.8, fixing this issue. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171389.html https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171390.html CC:
(none) =>
makowski.mageia Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.i586 (due to unsatisfied pythonegg(2)(idna)[>= 2.0])
claire robinson
2015-11-17 18:46:09 CET
Whiteboard:
(none) =>
feedback ouch, sorry seems we need to add python-idna to mga5 we have it only in mga6 What is the procedure ? But really I'm not sure that python-cryptography-0.7.2-1.mga5 is affected Debian still provide old and not patched version in Jessie for example. Easiest method is to svn cp it from cauldron to updates/5. I'm not sure if the version we have is affected either, but given that we updated OpenSSL to 1.0.2 late in the Mageia 5 development cycle, it's probably best that this package be updated anyway, to ensure full compatibility. python3-idna-2.0-1.mga5.noarch python-idna-2.0-1.mga5.noarch from : python-idna-2.0-1.mga5.src are in 5/testing note these packages have self tests enable and ok
David Walser
2015-11-18 22:09:42 CET
Whiteboard:
feedback =>
(none) Still failing ... Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.x86_64 (due to unsatisfied pythonegg(2)(ipaddress)) CC:
(none) =>
davidwhodgins Sorry, python-ipaddress-1.0.15-1.mga5.noarch from : python-ipaddress-1.0.15-1.mga5.src is in in 5/testing Whiteboard:
feedback =>
(none) And another one ... Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.x86_64 (due to unsatisfied pythonegg(2)(cffi)[>= 1.1.0]) It might help to try installing this on a livedvd or clean mga5 VM Philippe. python-cffi-doc-1.1.2-1.mga5.noarch python3-cffi-1.1.2-1.mga5.i586 python3-cffi-1.1.2-1.mga5.x86_64 python-cffi-1.1.2-1.mga5.i586 python-cffi-1.1.2-1.mga5.x86_64 from : python-cffi-1.1.2-1.mga5.src are in 5/testing MGA5-32 on Acer D620 Xfce. The system had already the older packages installed. I first installed the packages mentioned in Comment 12, then installed the versions as per Comment 2, no issues. How to exercise these????? CC:
(none) =>
herman.viaene Check it can be imported correctly Herman. http://cryptography.readthedocs.org/en/stable/doing-a-release/#verifying-the-release eg. >>> import cryptography >>> cryptography.__version__ '...' >>> import cryptography_vectors >>> cryptography_vectors.__version__ '...' I had to install python-pip to run the command as per Comment 1. That is version 6.1.1 on the repos. I get at the CLI: ]# pip install cryptography You are using pip version 6.1.1, however version 7.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Requirement already satisfied (use --upgrade to upgrade): cryptography in /usr/lib/python2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pyasn1>=0.1.8 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): enum34 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): ipaddress in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography) [root@xxx ~]# pip install --upgrade pip You are using pip version 6.1.1, however version 7.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Collecting pip Downloading pip-7.1.2-py2.py3-none-any.whl (1.1MB) 100% |ââââââââââââââââââââââââââââââââ| 1.1MB 107kB/s Installing collected packages: pip Found existing installation: pip 6.1.1 Uninstalling pip-6.1.1: Successfully uninstalled pip-6.1.1 Successfully installed pip-7.1.2 [root@xxxx ~]# pip install cryptography Requirement already satisfied (use --upgrade to upgrade): cryptography in /usr/lib/python2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pyasn1>=0.1.8 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): enum34 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): ipaddress in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography) Seems OK to me???? Ahh that's an oops Herman. Pip installs the upstream version directly, rather than our package. You can pip uninstall it in the same way. Use eg. # urpmi python-cryptography To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") python-cffi 1.1.2 1.mga5 x86_64 python-cryptography 1.0.2 1.mga5 x86_64 python-idna 2.0 1.mga5 noarch python-ipaddress 1.0.15 1.mga5 noarch python-pyasn1 0.1.8 1.mga5 noarch 142KB of additional disk space will be used. 790KB of packages will be retrieved. Proceed with the installation of the 5 packages? (Y/n) y then test with.. $ python Python 2.7.9 (default, Dec 14 2014, 10:12:16) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import cryptography >>> cryptography.__version__ '1.0.2' >>> exit() $ Also try http://cryptography.readthedocs.org/en/latest/fernet/ $ python Python 2.7.9 (default, Dec 14 2014, 10:12:16) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from cryptography.fernet import Fernet >>> key = Fernet.generate_key() >>> f = Fernet(key) >>> token = f.encrypt(b"my deep dark secret") >>> token 'gAAAAABWWDFCyETQFFQzpGOOGYBMT5bsFvW0ar71oFK9u9qc_DYR1U_Eh-zZcdiHSWFp1w6NeaeBOtJsIUIYCwCdhlfKIO1q03I0LD8dyOJ82jgG1yY4h1k=' >>> f.decrypt(token) 'my deep dark secret' >>> exit() Testing complete mga5 65 Whiteboard:
(none) =>
has_procedure mga5-64-ok Testing complete mga5 32 Same tests as comment 16. Validating. Please push to 5 updates. Thanks Keywords:
(none) =>
validated_update Advisory added to svn using srpms python-cryptography-1.0.2-1.mga5 python-cryptography-vectors-1.0.2-1.mga5 python-pyasn1-0.1.8-1.mga5 python-idna-2.0-1.mga5 python-ipaddress-1.0.15-1.mga5 python-cffi-1.1.2-1.mga5 Whiteboard:
has_procedure mga5-64-ok mga5-32-ok =>
has_procedure mga5-64-ok mga5-32-ok advisory Thanks Dave An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0460.html Status:
NEW =>
RESOLVED |