Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
python-boto-0:2.34.0-4.fc20.noarch depends on python-rsa, which is a very naive implementation of RSA with known unfixed vulnerabilities, e.g. https://bitbucket.org/sybren/python-rsa/issue/19/vulnerable-to-side-channel-attacks-on ). See also bug 1170702. I strongly recommend replacing its use by a python module that wraps one of the mainstream crypto libraries, perhaps M2Crypto.RSA or cryptography.hazmat.primitives.asymmetric.rsa .
Shouldn't this be reported upstream instead/also? https://github.com/boto/boto/issues
You're right Orion. I've reported it upstream today: https://github.com/boto/boto/issues/2889
Upstream pull request: https://github.com/boto/boto/pull/2890
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
I am quite reluctant to change crypto libraries without cooperation from the upstream maintainers, so let's let this discussion play out in the pull request.