[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pycrypto buffer overflow (potentially affects onionshare and other p
|
From: |
Leo Famulari |
|
Subject: |
Re: pycrypto buffer overflow (potentially affects onionshare and other packages) |
|
Date: |
Mon, 9 Jan 2017 19:09:09 -0500 |
|
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Thu, Jan 05, 2017 at 11:39:58AM +0100, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
>
> > On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <address@hidden> skribis:
> >> > Based on my discussion with the Stem maintainer, I removed pycrypto from
> >> > the dependency graph of OnionShare and added a comment about removing
> >> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> >> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
> >>
> >> Thanks. Looks like another case of an important piece of software
> >> lacking a maintainer…
> >
> > At this point, I think it's recommended to use the 'cryptography'
> > module, which we have as python-cryptography. This seems to be where all
> > the development energy is being spent.
> >
> > Debian adapted the upstream patch:
> >
> > https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
> >
> > What do people think?
>
> Maybe we should apply this patch as well as progressively migrate to
> python-cryptography whenever possible?
I applied the Debian patch in aa21c764d65068783ae31febee2a92eb3d138a24.