Fedora has issued an advisory on November 12: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171390.html They also had to update python-cryptography-vectors to build it: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171389.html I also noticed that what is supposed to be an apostrophe in the Description for python-cryptography-vectors is some Unicode character, so this should be fixed too. Cauldron has already been updated to version 1.1 where the security issue is also fixed. Reproducible: Steps to Reproduce:
I don't see how to solve thiswith only patches to our mga5 version, too much commit involved. so I suggest to update to 1.0.2
Not 100% sure that python-cryptography-0.7.2-1.mga5.src.rpm have tis security issue, but in case here are the updates in 5/testing : python-cryptography-vectors-1.0.2-1.mga5 python-cryptography-1.0.2-1.mga5 and python-pyasn1-0.1.8-1.mga5 (because python-cryptography-1.0.2 need python-pyasn1-0.1.8) Packages in 5/testing : python-cryptography-1.0.2-1.mga5.{x86_64,i586} python3-cryptography-1.0.2-1.mga5.{x86_64,i586} python-cryptography-vectors-1.0.2-1.mga5.noarch python3-cryptography-vectors-1.0.2-1.mga5.noarch python-pyasn1-0.1.8-1.mga5.noarch python3-pyasn1-0.1.8-1.mga5.noarch
Assignee: makowski.mageia => security
Advisory: ======================== Updated python-cryptography packages fix security vulnerability: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse (rhbz#1267548). The python-cryptography and python-cryptography-vectors packages have been updated to version 1.0.2 and python-pyasn1 has been updated to version 0.1.8, fixing this issue. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171389.html https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171390.html
CC: (none) => makowski.mageiaAssignee: security => qa-bugs
Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.i586 (due to unsatisfied pythonegg(2)(idna)[>= 2.0])
Whiteboard: (none) => feedback
ouch, sorry seems we need to add python-idna to mga5 we have it only in mga6 What is the procedure ? But really I'm not sure that python-cryptography-0.7.2-1.mga5 is affected Debian still provide old and not patched version in Jessie for example.
Easiest method is to svn cp it from cauldron to updates/5. I'm not sure if the version we have is affected either, but given that we updated OpenSSL to 1.0.2 late in the Mageia 5 development cycle, it's probably best that this package be updated anyway, to ensure full compatibility.
python3-idna-2.0-1.mga5.noarch python-idna-2.0-1.mga5.noarch from : python-idna-2.0-1.mga5.src are in 5/testing note these packages have self tests enable and ok
Whiteboard: feedback => (none)
Still failing ... Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.x86_64 (due to unsatisfied pythonegg(2)(ipaddress))
CC: (none) => davidwhodginsWhiteboard: (none) => feedback
Sorry, python-ipaddress-1.0.15-1.mga5.noarch from : python-ipaddress-1.0.15-1.mga5.src is in in 5/testing
And another one ... Sorry, the following package cannot be selected: - python-cryptography-1.0.2-1.mga5.x86_64 (due to unsatisfied pythonegg(2)(cffi)[>= 1.1.0])
It might help to try installing this on a livedvd or clean mga5 VM Philippe.
python-cffi-doc-1.1.2-1.mga5.noarch python3-cffi-1.1.2-1.mga5.i586 python3-cffi-1.1.2-1.mga5.x86_64 python-cffi-1.1.2-1.mga5.i586 python-cffi-1.1.2-1.mga5.x86_64 from : python-cffi-1.1.2-1.mga5.src are in 5/testing
MGA5-32 on Acer D620 Xfce. The system had already the older packages installed. I first installed the packages mentioned in Comment 12, then installed the versions as per Comment 2, no issues. How to exercise these?????
CC: (none) => herman.viaene
Check it can be imported correctly Herman. http://cryptography.readthedocs.org/en/stable/doing-a-release/#verifying-the-release eg. >>> import cryptography >>> cryptography.__version__ '...' >>> import cryptography_vectors >>> cryptography_vectors.__version__ '...'
I had to install python-pip to run the command as per Comment 1. That is version 6.1.1 on the repos. I get at the CLI: ]# pip install cryptography You are using pip version 6.1.1, however version 7.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Requirement already satisfied (use --upgrade to upgrade): cryptography in /usr/lib/python2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pyasn1>=0.1.8 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): enum34 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): ipaddress in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography) [root@xxx ~]# pip install --upgrade pip You are using pip version 6.1.1, however version 7.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Collecting pip Downloading pip-7.1.2-py2.py3-none-any.whl (1.1MB) 100% |ââââââââââââââââââââââââââââââââ| 1.1MB 107kB/s Installing collected packages: pip Found existing installation: pip 6.1.1 Uninstalling pip-6.1.1: Successfully uninstalled pip-6.1.1 Successfully installed pip-7.1.2 [root@xxxx ~]# pip install cryptography Requirement already satisfied (use --upgrade to upgrade): cryptography in /usr/lib/python2.7/site-packages Requirement already satisfied (use --upgrade to upgrade): idna>=2.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pyasn1>=0.1.8 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): enum34 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): ipaddress in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): cffi>=1.1.0 in /usr/lib/python2.7/site-packages (from cryptography) Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.1.0->cryptography) Seems OK to me????
Ahh that's an oops Herman. Pip installs the upstream version directly, rather than our package. You can pip uninstall it in the same way. Use eg. # urpmi python-cryptography To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") python-cffi 1.1.2 1.mga5 x86_64 python-cryptography 1.0.2 1.mga5 x86_64 python-idna 2.0 1.mga5 noarch python-ipaddress 1.0.15 1.mga5 noarch python-pyasn1 0.1.8 1.mga5 noarch 142KB of additional disk space will be used. 790KB of packages will be retrieved. Proceed with the installation of the 5 packages? (Y/n) y then test with.. $ python Python 2.7.9 (default, Dec 14 2014, 10:12:16) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import cryptography >>> cryptography.__version__ '1.0.2' >>> exit() $ Also try http://cryptography.readthedocs.org/en/latest/fernet/ $ python Python 2.7.9 (default, Dec 14 2014, 10:12:16) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from cryptography.fernet import Fernet >>> key = Fernet.generate_key() >>> f = Fernet(key) >>> token = f.encrypt(b"my deep dark secret") >>> token 'gAAAAABWWDFCyETQFFQzpGOOGYBMT5bsFvW0ar71oFK9u9qc_DYR1U_Eh-zZcdiHSWFp1w6NeaeBOtJsIUIYCwCdhlfKIO1q03I0LD8dyOJ82jgG1yY4h1k=' >>> f.decrypt(token) 'my deep dark secret' >>> exit() Testing complete mga5 65
Whiteboard: (none) => has_procedure mga5-64-ok
Testing complete mga5 32 Same tests as comment 16. Validating. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-okCC: (none) => sysadmin-bugs
Advisory added to svn using srpms python-cryptography-1.0.2-1.mga5 python-cryptography-vectors-1.0.2-1.mga5 python-pyasn1-0.1.8-1.mga5 python-idna-2.0-1.mga5 python-ipaddress-1.0.15-1.mga5 python-cffi-1.1.2-1.mga5
Whiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure mga5-64-ok mga5-32-ok advisory
Thanks Dave
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0460.html
Status: NEW => RESOLVEDResolution: (none) => FIXED