| Summary: | python-pycrypto new security issue CVE-2012-2417 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | stormi-mageia, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/500169/ | ||
| Whiteboard: | MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK mga2-64-OK mga2-32-OK | ||
| Source RPM: | python-pycrypto-2.3-2.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-07-27 15:20:19 CEST
David Walser
2012-07-27 15:20:27 CEST
Whiteboard:
(none) =>
MGA2TOO, MGA1TOO Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated python-pycrypto package fixes security vulnerability: PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key (CVE-2012-2417). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:117 ======================== Updated packages in core/updates_testing: ======================== python-pycrypto-2.3-2.1.mga1 python-pycrypto-2.3-2.1.mga2 from SRPMS: python-pycrypto-2.3-2.1.mga1.src.rpm python-pycrypto-2.3-2.1.mga2.src.rpm Version:
Cauldron =>
2
David Walser
2012-07-27 20:16:35 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/500169/ Note that according to https://bugs.launchpad.net/pycrypto/+bug/985164 people have to re-generate their keys. How could we address that? CC:
(none) =>
stormi Thanks Samuel. We should address that in the advisory. Updating it. Advisory: ======================== Updated python-pycrypto package fixes security vulnerability: PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key (CVE-2012-2417). Note: any ElGamal keys that have previously been generated by PyCrypto should be regenerated after installing this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417 http://www.ubuntu.com/usn/usn-1484-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:117 ======================== Updated packages in core/updates_testing: ======================== python-pycrypto-2.3-2.1.mga1 python-pycrypto-2.3-2.1.mga2 from SRPMS: python-pycrypto-2.3-2.1.mga1.src.rpm python-pycrypto-2.3-2.1.mga2.src.rpm The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 uses elgamal if I understood correctly. On Mageia 1 64 bits, running it with the version of python-pycrypto from release and from udpates_testing gives the same result: it deciphers the hello world message with success. Anyone knows how to test better, and in particular how to check the security fix? (In reply to comment #4) > The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 > uses elgamal if I understood correctly. > > On Mageia 1 64 bits, running it with the version of python-pycrypto from > release and from udpates_testing gives the same result: it deciphers the hello > world message with success. Anyone knows how to test better, and in particular > how to check the security fix? Find someone that understands ElGamal encryption to decipher this: https://bugs.launchpad.net/pycrypto/+bug/985164/comments/5 It almost looks understandable to me as I've taken Number Theory and Coding Theory and studied RSA encryption, but that was a few years ago :o) (In reply to comment #5) > (In reply to comment #4) > > The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 > > uses elgamal if I understood correctly. > > > > On Mageia 1 64 bits, running it with the version of python-pycrypto from > > release and from udpates_testing gives the same result: it deciphers the hello > > world message with success. Anyone knows how to test better, and in particular > > how to check the security fix? > > Find someone that understands ElGamal encryption to decipher this: > https://bugs.launchpad.net/pycrypto/+bug/985164/comments/5 > > It almost looks understandable to me as I've taken Number Theory and Coding > Theory and studied RSA encryption, but that was a few years ago :o) Ouch, I guess sometimes we just have to trust upstream. We can't give hours checking that every security issue is actually fixed, given our current ressources :)
Samuel Verschelde
2012-07-31 15:03:18 CEST
Whiteboard:
MGA1TOO =>
MGA1TOO MGA1-64-OK
Samuel Verschelde
2012-07-31 15:03:34 CEST
Whiteboard:
MGA1TOO MGA1-64-OK =>
MGA1TOO has_procedure MGA1-64-OK Testing following comment #4 procedure complete on Mageia 1 32 bits. Feel still free to improve the procedure I'll be glad to do more tests, but for the time being I consider it tested for this arch. Whiteboard:
MGA1TOO has_procedure MGA1-64-OK =>
MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK Testing complete mga2 x86_64 using script from comment 4 Hardware:
i586 =>
All Testing complete mga2 i586 same way. Validating Please see comment 3 for advisory and srpms for mga1 and 2 Could sysadmin please push from core/updates_testing to core/updates thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0194 Status:
NEW =>
RESOLVED |