A security issue was reported, fixed, and assigned a CVE, for python-rsa: http://openwall.com/lists/oss-security/2016/01/05/3 The fix is linked in the message above. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
security issue fixed now for Cauldron and mga5 too!! :)
Thanks David! This is the QA team's first 2016 CVE. Enjoy. Advisory: ======================== Updated python-rsa packages fix security vulnerability: A signature forgery vulnerability in python-rsa allows an attacker to fake signatures for arbitrary messages for any key with a low exponent "e", such as the common value of 3 (CVE-2016-1494). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1494 https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ http://openwall.com/lists/oss-security/2016/01/05/3 ======================== Updated packages in core/updates_testing: ======================== python-rsa-3.1.4-6.1.mga5 python3-rsa-3.1.4-6.1.mga5 from python-rsa-3.1.4-6.1.mga5.src.rpm
Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
mga5 x86_64 Mate Had to read up on the use of RSA encryption and found some useful links but could not fully understand the mathematics involved. Wikipedia is a good start. This little script is a very basic test of RSA in python. It runs fine both before and after the update. #!/bin/env python # Primitive Alice and Bob scenario using python-rsa # reference: https://stuvel.eu/files/python-rsa-doc/usage.html#generating-keys import rsa # Jim generates a keypair and gives Suzy the public key by some means. # The poolsize parameter allows the calculation to be speeded up if more than # one core is available. Leave it out if speed is not an issue. (publickey, privatekey) = rsa.newkeys( 512, poolsize=8 ) # Suzy composes message as an encoded byte-string and encrypts it. message = "Tonight's the night".encode( 'utf8' ) print( message ) print( "-------------------" ) crypted = rsa.encrypt( message, publickey ) print( crypted ) # ... Suzy sends message ... # ... Jim receives it and decodes it ... received = rsa.decrypt( crypted, privatekey ) print( received.decode( 'utf8' ) ) exit( )
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
mga5 i586 VM Mate Used the script from comment #3 to test RSA encryption/decryption. Leaving validation to allow time for objections.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0011.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/671636/