Fedora has issued an advisory today (July 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/ The issue was fixed in 2.3. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the python stack maintainers, CC'ing the registered maintainer.
Assignee: bugsquad => pythonCC: (none) => makowski.mageia, marja11
Ubuntu has issued an advisory for this on July 23: https://usn.ubuntu.com/3720-1/
Summary: python-cryptography new security issue fixed upstream in 2.3 => python-cryptography new security issue fixed upstream in 2.3 (CVE-2018-10903)
Blocks: (none) => 23111CC: (none) => geiger.david68210
Cauldron updated with: python-cryptography-vectors-2.3.1-1.mga7 python-cryptography-2.3.1-1.mga7
Whiteboard: MGA6TOO => (none)Assignee: python => brunoVersion: Cauldron => 6CC: (none) => brunoStatus: NEW => ASSIGNED
mga6 updated with: python-cryptography-vectors-2.3.1-1.mga6 python-cryptography-2.3.1-1.mga6
Assignee: bruno => qa-bugs
Advisory: ======================== Updated python-cryptography packages fix security vulnerability: The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage (CVE-2018-10903). The python-cryptography and python-cryptography-vectors packages have been updated to version 2.3.1. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/ ======================== Updated packages in core/updates_testing: ======================== python-cryptography-2.3.1-1.mga6 python3-cryptography-2.3.1-1.mga6 python-cryptography-vectors-2.3.1-1.mga6 python3-cryptography-vectors-2.3.1-1.mga6 from SRPMS: python-cryptography-2.3.1-1.mga6.src.rpm python-cryptography-vectors-2.3.1-1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref bug 19736 Comment 4 at CLI $ python -c 'import cryptography;print(cryptography.__version__)' 2.3.1 $ python3 -c 'import cryptography;print(cryptography.__version__)' 2.3.1 So OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
MGA6-64 Plasma system. No installation issues with 64-bit, either. The commands Herman used have the same result. So, OK for 64-bit, too. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateWhiteboard: MGA6-32-OK => MGA6-64-OK MGA6-32-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0429.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Looks like there is a missing pkg with this update: A requested package cannot be installed: python-cryptography-2.3.1-1.mga6.x86_64 python-cryptography-2.3.1-1.mga6.x86_64 (due to unsatisfied pythonegg(2)(asn1crypto)[>= 0.21.0])
(In reply to David GEIGER from comment #9) > Looks like there is a missing pkg with this update: > > A requested package cannot be installed: > python-cryptography-2.3.1-1.mga6.x86_64 > python-cryptography-2.3.1-1.mga6.x86_64 (due to unsatisfied > pythonegg(2)(asn1crypto)[>= 0.21.0]) someone already filed bug 23803 for that.
Strangely enough that wasn't seen by QA testers (nor myself). Is it possible to push python-asn1crypto from updates_testing as well (I just pushed it again) so that this issue is solved ? TIA.
(In reply to Bruno Cornec from comment #11) > Strangely enough that wasn't seen by QA testers (nor myself). > Is it possible to push python-asn1crypto from updates_testing as well (I > just pushed it again) so that this issue is solved ? > > TIA. Reopenening this report and assigning to sysadmin team.
Depends on: (none) => 23803Assignee: qa-bugs => sysadmin-bugs
(In reply to Marja Van Waes from comment #12) > (In reply to Bruno Cornec from comment #11) > > Strangely enough that wasn't seen by QA testers (nor myself). > > Is it possible to push python-asn1crypto from updates_testing as well (I > > just pushed it again) so that this issue is solved ? > > > > TIA. > > Reopenening this report and assigning to sysadmin team. Really reopening now :-(
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Still needs to be assigned to QA so sysadmins will see it.
Assignee: sysadmin-bugs => qa-bugs
Package move in progress... I think QA should start always using the QA tool done by martinw for the big qt/plasma update on all update testings to catch missed package issues like this...
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
(In reply to Thomas Backlund from comment #15) > Package move in progress... > > I think QA should start always using the QA tool done by martinw for the big > qt/plasma update on all update testings to catch missed package issues like > this... Do you mind also moving python-cffi srpm and its rpms? See bug 23810 [unsatisfied pythonegg(2)(cffi) trying to install python-cryptography-2.3.1-1.mga6.x86_64]
Depends on: (none) => 23810
python-cffi-1.7.0-1.mga6 move in progress
Checked out in VirtualBox. Packages now update without incident.