Bug 1170702 - Long-unfixed security vulnerabilities
Summary: Long-unfixed security vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-rsa
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Yohan Graterol
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-04 16:04 UTC by Miloslav Trmač
Modified: 2016-04-13 06:24 UTC (History)
2 users (show)

Fixed In Version: python-rsa-3.4.1-1.fc24 python-rsa-3.4.1-1.fc23 python-rsa-3.4.1-1.fc22 python-rsa-3.4.1-1.el7 python-rsa-3.4.1-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-31 20:30:18 UTC


Attachments (Terms of Use)

Description Miloslav Trmač 2014-12-04 16:04:37 UTC
Version-Release number of selected component (if applicable):
python-rsa-3.1.1-4.fc20.noarch

The code of python-rsa is a very naive implementation of RSA with known side channels, already reported upstream (https://bitbucket.org/sybren/python-rsa/issue/19/vulnerable-to-side-channel-attacks-on , unfixed since 2013), its PKCS#1 implementation has also side channel issues, and the bigfile module has also an incorrect design reported in 2012 (I have not verified this one but not even having a reply is frightening).

These issues are fixable in principle but I would honestly recommend instead taking the time to remove the package from the distribution.

Comment 1 Miloslav Trmač 2014-12-04 16:13:44 UTC
See also bug 1170701 and bug 1170703 filed against the users of python-rsa.

Comment 2 Jaroslav Reznik 2015-03-03 16:33:54 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 3 Fabio Alessandro Locati 2016-01-10 19:13:04 UTC
It seems like the maintainer has not responded at all at this security bug.
I would ask the maintainer to please respond to it.

I can help out with this package and therefore I asked ACL&Admin permissions for this package. I hope the maintainer will respond to those as well very soon.

Comment 4 Fedora Update System 2016-01-13 23:52:43 UTC
python-rsa-3.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9

Comment 5 Fedora Update System 2016-01-13 23:52:43 UTC
python-rsa-3.3-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d

Comment 6 Fedora Update System 2016-01-13 23:53:02 UTC
python-rsa-3.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef

Comment 7 Fedora Update System 2016-01-13 23:53:03 UTC
python-rsa-3.3-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426

Comment 8 Fedora Update System 2016-01-14 10:21:35 UTC
python-rsa-3.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9

Comment 9 Fedora Update System 2016-01-14 10:24:35 UTC
python-rsa-3.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d

Comment 10 Fedora Update System 2016-01-14 11:24:36 UTC
python-rsa-3.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef

Comment 11 Miloslav Trmač 2016-01-14 14:36:25 UTC
Which exact commit or piece of code is fixing this? AFAICS https://bitbucket.org/sybren/python-rsa/src/8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core.py?at=default&fileviewer=file-view-default is still just a naive implementation.

Comment 12 Fabio Alessandro Locati 2016-01-14 14:43:49 UTC
(In reply to Miloslav Trmač from comment #11)
> Which exact commit or piece of code is fixing this? AFAICS
> https://bitbucket.org/sybren/python-rsa/src/
> 8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core.
> py?at=default&fileviewer=file-view-default is still just a naive
> implementation.

Sorry, you are right. This release DOES NOT fixes this, while fixes the CVE-2016-1494

Comment 13 Fedora Update System 2016-01-15 19:53:07 UTC
python-rsa-3.3-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426

Comment 14 Fabio Alessandro Locati 2016-01-15 19:55:15 UTC
I was not able to remove it from the F22 release, since it was waiting to join testing, so it sent the email, but I've just edited it so it shows correctly this post as not fixed

Comment 15 Fedora Update System 2016-03-26 18:12:56 UTC
python-rsa-3.4.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273

Comment 16 Fedora Update System 2016-03-26 18:13:03 UTC
python-rsa-3.4.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c

Comment 17 Fedora Update System 2016-03-26 18:13:07 UTC
python-rsa-3.4.1-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0

Comment 18 Fedora Update System 2016-03-26 18:13:12 UTC
python-rsa-3.4.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f

Comment 19 Fedora Update System 2016-03-26 18:13:16 UTC
python-rsa-3.4.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe

Comment 20 Fedora Update System 2016-03-27 21:17:40 UTC
python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe

Comment 21 Fedora Update System 2016-03-27 21:21:07 UTC
python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f

Comment 22 Fedora Update System 2016-03-27 21:48:19 UTC
python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0

Comment 23 Fedora Update System 2016-03-27 21:50:15 UTC
python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c

Comment 24 Fedora Update System 2016-03-27 21:50:24 UTC
python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273

Comment 25 Fedora Update System 2016-03-31 20:30:15 UTC
python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2016-04-06 17:20:54 UTC
python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2016-04-07 15:49:27 UTC
python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2016-04-13 05:56:05 UTC
python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2016-04-13 06:24:50 UTC
python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.