Mandriva has issued an advisory today (July 27): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:117 Mageia 1 and Mageia 2 are also affected.
Whiteboard: (none) => MGA2TOO, MGA1TOO
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated python-pycrypto package fixes security vulnerability: PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key (CVE-2012-2417). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:117 ======================== Updated packages in core/updates_testing: ======================== python-pycrypto-2.3-2.1.mga1 python-pycrypto-2.3-2.1.mga2 from SRPMS: python-pycrypto-2.3-2.1.mga1.src.rpm python-pycrypto-2.3-2.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
URL: (none) => http://lwn.net/Vulnerabilities/500169/
Note that according to https://bugs.launchpad.net/pycrypto/+bug/985164 people have to re-generate their keys. How could we address that?
CC: (none) => stormi
Thanks Samuel. We should address that in the advisory. Updating it. Advisory: ======================== Updated python-pycrypto package fixes security vulnerability: PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key (CVE-2012-2417). Note: any ElGamal keys that have previously been generated by PyCrypto should be regenerated after installing this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417 http://www.ubuntu.com/usn/usn-1484-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:117 ======================== Updated packages in core/updates_testing: ======================== python-pycrypto-2.3-2.1.mga1 python-pycrypto-2.3-2.1.mga2 from SRPMS: python-pycrypto-2.3-2.1.mga1.src.rpm python-pycrypto-2.3-2.1.mga2.src.rpm
The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 uses elgamal if I understood correctly. On Mageia 1 64 bits, running it with the version of python-pycrypto from release and from udpates_testing gives the same result: it deciphers the hello world message with success. Anyone knows how to test better, and in particular how to check the security fix?
(In reply to comment #4) > The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 > uses elgamal if I understood correctly. > > On Mageia 1 64 bits, running it with the version of python-pycrypto from > release and from udpates_testing gives the same result: it deciphers the hello > world message with success. Anyone knows how to test better, and in particular > how to check the security fix? Find someone that understands ElGamal encryption to decipher this: https://bugs.launchpad.net/pycrypto/+bug/985164/comments/5 It almost looks understandable to me as I've taken Number Theory and Coding Theory and studied RSA encryption, but that was a few years ago :o)
(In reply to comment #5) > (In reply to comment #4) > > The script at http://www.python-forum.org/pythonforum/viewtopic.php?p=26379 > > uses elgamal if I understood correctly. > > > > On Mageia 1 64 bits, running it with the version of python-pycrypto from > > release and from udpates_testing gives the same result: it deciphers the hello > > world message with success. Anyone knows how to test better, and in particular > > how to check the security fix? > > Find someone that understands ElGamal encryption to decipher this: > https://bugs.launchpad.net/pycrypto/+bug/985164/comments/5 > > It almost looks understandable to me as I've taken Number Theory and Coding > Theory and studied RSA encryption, but that was a few years ago :o) Ouch, I guess sometimes we just have to trust upstream. We can't give hours checking that every security issue is actually fixed, given our current ressources :)
Whiteboard: MGA1TOO => MGA1TOO MGA1-64-OK
Whiteboard: MGA1TOO MGA1-64-OK => MGA1TOO has_procedure MGA1-64-OK
Testing following comment #4 procedure complete on Mageia 1 32 bits. Feel still free to improve the procedure I'll be glad to do more tests, but for the time being I consider it tested for this arch.
Whiteboard: MGA1TOO has_procedure MGA1-64-OK => MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK
Testing complete mga2 x86_64 using script from comment 4
Hardware: i586 => AllWhiteboard: MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK => MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK mga2-64-OK
Testing complete mga2 i586 same way. Validating Please see comment 3 for advisory and srpms for mga1 and 2 Could sysadmin please push from core/updates_testing to core/updates thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK mga2-64-OK => MGA1TOO has_procedure MGA1-64-OK MGA1-32-OK mga2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0194
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED