A security issue fixed upstream in python-cryptography has been announced: http://openwall.com/lists/oss-security/2016/11/08/6 I don't know if the version in Mageia 5 is affected.
CVE-2016-9243 has been assigned: http://openwall.com/lists/oss-security/2016/11/09/2
Summary: python-cryptography new security issue fixed upstream in 1.5.3 => python-cryptography new security issue fixed upstream in 1.5.3 (CVE-2016-9243)
Cauldron freeze push asked for 1.5.3 python3-cryptography-1.0.2-1.1.mga5 and python-cryptography-1.0.2-1.1.mga5 are in core/updates_testing Updated python-cryptography and python3-cryptography packages fix security vulnerabilities This update fix CVE-2016-9243 - Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. ref: http://openwall.com/lists/oss-security/2016/11/09/2 https://cryptography.io/en/latest/changelog/#id1 note to qa, since the packages run a full test suite, a simple testing update should be ok, with a : python -c 'import cryptography;print(cryptography.__version__)'
Assignee: makowski.mageia => qa-bugs
Version: Cauldron => 5
Just waiting for the mirrors to update. To be installed on x86_64.
CC: (none) => tarazed25
Installed the updates and ran the command as posted in comment #2. $ python -c 'import cryptography;print(cryptography.__version__)' 1.0.2 $ python3 -c 'import cryptography;print(cryptography.__version__)' 1.0.2 If that is all that is required it can be given the OK.
Whiteboard: (none) => MGA5-64-OK
This installed cleanly in i586 virtualbox and the commandline query returned the version number for python and python3.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
(In reply to Philippe Makowski from comment #2) > Cauldron freeze push asked for 1.5.3 > python3-cryptography-1.0.2-1.1.mga5 and python-cryptography-1.0.2-1.1.mga5 > are in core/updates_testing @ Philippe For the Advisory, please can you cite the actual SRPM and its version? I would guess 'python-cryptography-1.0.2-1.1.mga5.src.rpm' but I would rather not guess wrong. As for the rest, Comment 2 has all the necessary info, thanks. TIA
CC: (none) => lewyssmith
Lewis, you got the SRPM name right. Philippe is no longer watching this bug.
Thanks to Len for rapid tests; and to David for SRPM confirmation.. Advisory based on Comments 2 & 6 uploaded. Update validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0377.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/706400/