Bug 1170702

Summary:	Long-unfixed security vulnerabilities
Product:	[Fedora] Fedora	Reporter:	Miloslav Trmač <mitr>
Component:	python-rsa	Assignee:	Yohan Graterol <yohangraterol92>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	22	CC:	fale, yohangraterol92
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python-rsa-3.4.1-1.fc24 python-rsa-3.4.1-1.fc23 python-rsa-3.4.1-1.fc22 python-rsa-3.4.1-1.el7 python-rsa-3.4.1-1.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-03-31 20:30:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Miloslav Trmač 2014-12-04 16:04:37 UTC

Version-Release number of selected component (if applicable):
python-rsa-3.1.1-4.fc20.noarch

The code of python-rsa is a very naive implementation of RSA with known side channels, already reported upstream (https://bitbucket.org/sybren/python-rsa/issue/19/vulnerable-to-side-channel-attacks-on , unfixed since 2013), its PKCS#1 implementation has also side channel issues, and the bigfile module has also an incorrect design reported in 2012 (I have not verified this one but not even having a reply is frightening).

These issues are fixable in principle but I would honestly recommend instead taking the time to remove the package from the distribution.

Comment 1 Miloslav Trmač 2014-12-04 16:13:44 UTC

See also bug 1170701 and bug 1170703 filed against the users of python-rsa.

Comment 2 Jaroslav Reznik 2015-03-03 16:33:54 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 3 Fabio Alessandro Locati 2016-01-10 19:13:04 UTC

It seems like the maintainer has not responded at all at this security bug.
I would ask the maintainer to please respond to it.

I can help out with this package and therefore I asked ACL&Admin permissions for this package. I hope the maintainer will respond to those as well very soon.

Comment 4 Fedora Update System 2016-01-13 23:52:43 UTC

python-rsa-3.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9

Comment 5 Fedora Update System 2016-01-13 23:52:43 UTC

python-rsa-3.3-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d

Comment 6 Fedora Update System 2016-01-13 23:53:02 UTC

python-rsa-3.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef

Comment 7 Fedora Update System 2016-01-13 23:53:03 UTC

python-rsa-3.3-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426

Comment 8 Fedora Update System 2016-01-14 10:21:35 UTC

python-rsa-3.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9

Comment 9 Fedora Update System 2016-01-14 10:24:35 UTC

python-rsa-3.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d

Comment 10 Fedora Update System 2016-01-14 11:24:36 UTC

python-rsa-3.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef

Comment 11 Miloslav Trmač 2016-01-14 14:36:25 UTC

Which exact commit or piece of code is fixing this? AFAICS https://bitbucket.org/sybren/python-rsa/src/8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core.py?at=default&fileviewer=file-view-default is still just a naive implementation.

Comment 12 Fabio Alessandro Locati 2016-01-14 14:43:49 UTC

(In reply to Miloslav Trmač from comment #11)
> Which exact commit or piece of code is fixing this? AFAICS
> https://bitbucket.org/sybren/python-rsa/src/
> 8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core.
> py?at=default&fileviewer=file-view-default is still just a naive
> implementation.

Sorry, you are right. This release DOES NOT fixes this, while fixes the CVE-2016-1494

Comment 13 Fedora Update System 2016-01-15 19:53:07 UTC

python-rsa-3.3-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426

Comment 14 Fabio Alessandro Locati 2016-01-15 19:55:15 UTC

I was not able to remove it from the F22 release, since it was waiting to join testing, so it sent the email, but I've just edited it so it shows correctly this post as not fixed

Comment 15 Fedora Update System 2016-03-26 18:12:56 UTC

python-rsa-3.4.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273

Comment 16 Fedora Update System 2016-03-26 18:13:03 UTC

python-rsa-3.4.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c

Comment 17 Fedora Update System 2016-03-26 18:13:07 UTC

python-rsa-3.4.1-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0

Comment 18 Fedora Update System 2016-03-26 18:13:12 UTC

python-rsa-3.4.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f

Comment 19 Fedora Update System 2016-03-26 18:13:16 UTC

python-rsa-3.4.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe

Comment 20 Fedora Update System 2016-03-27 21:17:40 UTC

python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe

Comment 21 Fedora Update System 2016-03-27 21:21:07 UTC

python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f

Comment 22 Fedora Update System 2016-03-27 21:48:19 UTC

python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0

Comment 23 Fedora Update System 2016-03-27 21:50:15 UTC

python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c

Comment 24 Fedora Update System 2016-03-27 21:50:24 UTC

python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273

Comment 25 Fedora Update System 2016-03-31 20:30:15 UTC

python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2016-04-06 17:20:54 UTC

python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2016-04-07 15:49:27 UTC

python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2016-04-13 05:56:05 UTC

python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2016-04-13 06:24:50 UTC

python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.