Bug 19736

Summary: python-cryptography new security issue fixed upstream in 1.5.3 (CVE-2016-9243)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/706400/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: python-cryptography-1.5.2-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-11-08 14:42:19 CET 
A security issue fixed upstream in python-cryptography has been announced:
http://openwall.com/lists/oss-security/2016/11/08/6

I don't know if the version in Mageia 5 is affected.
Comment 1 David Walser 2016-11-09 15:35:17 CET 
CVE-2016-9243 has been assigned:
http://openwall.com/lists/oss-security/2016/11/09/2

Summary: python-cryptography new security issue fixed upstream in 1.5.3 => python-cryptography new security issue fixed upstream in 1.5.3 (CVE-2016-9243)

Comment 2 Philippe Makowski 2016-11-11 13:22:18 CET 
Cauldron freeze push asked for 1.5.3

python3-cryptography-1.0.2-1.1.mga5 and python-cryptography-1.0.2-1.1.mga5 are in core/updates_testing

Updated python-cryptography and python3-cryptography packages fix security vulnerabilities

This update fix CVE-2016-9243

- Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size.

ref:
http://openwall.com/lists/oss-security/2016/11/09/2
https://cryptography.io/en/latest/changelog/#id1


note to qa, since the packages run a full test suite, a simple testing update should be ok, with a :
python -c 'import cryptography;print(cryptography.__version__)'

Assignee: makowski.mageia => qa-bugs

David Walser 2016-11-11 14:33:55 CET

Version: Cauldron => 5

Comment 3 Len Lawrence 2016-11-11 15:37:04 CET 
Just waiting for the mirrors to update.  To be installed on x86_64.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-11-11 17:31:10 CET 
Installed the updates and ran the command as posted in comment #2.
$ python -c 'import cryptography;print(cryptography.__version__)'
1.0.2
$ python3 -c 'import cryptography;print(cryptography.__version__)'
1.0.2

If that is all that is required it can be given the OK.
Len Lawrence 2016-11-11 17:31:34 CET

Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-11-11 23:22:01 CET 
This installed cleanly in i586 virtualbox and the commandline query returned the version number for python and python3.
Len Lawrence 2016-11-11 23:22:16 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 6 Lewis Smith 2016-11-12 15:18:13 CET 
(In reply to Philippe Makowski from comment #2)
> Cauldron freeze push asked for 1.5.3
> python3-cryptography-1.0.2-1.1.mga5 and python-cryptography-1.0.2-1.1.mga5
> are in core/updates_testing
@ Philippe For the Advisory, please can you cite the actual SRPM and its version?
I would guess 'python-cryptography-1.0.2-1.1.mga5.src.rpm' but I would rather not guess wrong.
As for the rest, Comment 2 has all the necessary info, thanks.
TIA

CC: (none) => lewyssmith

Comment 7 David Walser 2016-11-12 15:42:05 CET 
Lewis, you got the SRPM name right.  Philippe is no longer watching this bug.
Comment 8 Lewis Smith 2016-11-12 16:38:07 CET 
Thanks to Len for rapid tests; and to David for SRPM confirmation..
Advisory based on Comments 2 & 6 uploaded. Update validated.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2016-11-14 08:09:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0377.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-11-14 19:35:43 CET

URL: (none) => http://lwn.net/Vulnerabilities/706400/