SUSE has issued an advisory today (July 22): https://lists.suse.com/pipermail/sle-security-updates/2022-July/011631.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QEML6RS6UMHDYGJ355BS2ARODQ4OYLRW/
Submitted release 0.38.0 with commit "Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)" python3-m2crypto-0.38.0-4.mga8 Source: python-m2crypto-0.38.0-4.mga8.src.rpm
Version: Cauldron => 8CC: (none) => yves.brungard_mageiaAssignee: python => qa-bugsCVE: (none) => CVE-2020-25657
Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Acer Aspire 5253 No installation issues. # urpmq --whatrequires python3-m2crypto dropbox-servicemenu python3-m2crypto Installed dropbox-servicemenu and googled around, but could not make any sense. e.g. some pages refer to an install script I don't find anywhere. Note that I don't have a dropbox account. Ref. then bug 17179 and tried $ python3 Python 3.8.12 (default, Sep 12 2021, 19:57:22) [GCC 10.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2('foo', 'abc', 1, 74) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.8/site-packages/M2Crypto/EVP.py", line 36, in pbkdf2 return m2.pkcs5_pbkdf2_hmac_sha1(password, salt, iter, keylen) TypeError: expected a readable buffer object So, I'm lost here again. Otherwise installing this does not seem to harm anything else.
CC: (none) => herman.viaene
Try with this command. The referenced bug report was for Python 2. import M2Crypto M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74)
With updated release: python3 Python 3.8.12 (default, Sep 12 2021, 19:57:22) [GCC 10.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74) b'2n\x13\xdd\xab\xb1N\xbc\xc0\xb3\x16\x85\xb1_(#\x02\xe6\x92L\xf6\xb6\xf8<\x80\xb7v\xc8\xec\x83tZ\xfd4\x9f\r\xea>?\x1d\xbb\x9b\xe3\xe1"\xc9W\x9e\x80\xdc\x0e\x16t\x06\x8e\x86~q\x82\xd2,\xaaa\xb1\x06+4k\x1dg\xf7CXF' >>> with original version: python3 Python 3.8.12 (default, Sep 12 2021, 19:57:22) [GCC 10.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74) b'2n\x13\xdd\xab\xb1N\xbc\xc0\xb3\x16\x85\xb1_(#\x02\xe6\x92L\xf6\xb6\xf8<\x80\xb7v\xc8\xec\x83tZ\xfd4\x9f\r\xea>?\x1d\xbb\x9b\xe3\xe1"\xc9W\x9e\x80\xdc\x0e\x16t\x06\x8e\x86~q\x82\xd2,\xaaa\xb1\x06+4k\x1dg\xf7CXF' It seems to work without difference.
Followed Comment 5 and got the feedback as shown there, so this should be OK. Tx papoteur.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0274.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED