Version-Release number of selected component (if applicable): python-rsa-3.1.1-4.fc20.noarch The code of python-rsa is a very naive implementation of RSA with known side channels, already reported upstream (https://bitbucket.org/sybren/python-rsa/issue/19/vulnerable-to-side-channel-attacks-on , unfixed since 2013), its PKCS#1 implementation has also side channel issues, and the bigfile module has also an incorrect design reported in 2012 (I have not verified this one but not even having a reply is frightening). These issues are fixable in principle but I would honestly recommend instead taking the time to remove the package from the distribution.
See also bug 1170701 and bug 1170703 filed against the users of python-rsa.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
It seems like the maintainer has not responded at all at this security bug. I would ask the maintainer to please respond to it. I can help out with this package and therefore I asked ACL&Admin permissions for this package. I hope the maintainer will respond to those as well very soon.
python-rsa-3.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9
python-rsa-3.3-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d
python-rsa-3.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef
python-rsa-3.3-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426
python-rsa-3.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-7aa48cd8b9
python-rsa-3.3-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6f526f521d
python-rsa-3.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-70edfbbcef
Which exact commit or piece of code is fixing this? AFAICS https://bitbucket.org/sybren/python-rsa/src/8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core.py?at=default&fileviewer=file-view-default is still just a naive implementation.
(In reply to Miloslav Trmač from comment #11) > Which exact commit or piece of code is fixing this? AFAICS > https://bitbucket.org/sybren/python-rsa/src/ > 8a60d5792cd19514e049e5d9ed552b071e71b5e8/rsa/core. > py?at=default&fileviewer=file-view-default is still just a naive > implementation. Sorry, you are right. This release DOES NOT fixes this, while fixes the CVE-2016-1494
python-rsa-3.3-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c845706426
I was not able to remove it from the F22 release, since it was waiting to join testing, so it sent the email, but I've just edited it so it shows correctly this post as not fixed
python-rsa-3.4.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273
python-rsa-3.4.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c
python-rsa-3.4.1-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0
python-rsa-3.4.1-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f
python-rsa-3.4.1-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe
python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-c3550220fe
python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-9129aa0c6f
python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-15fb7deba0
python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-df2529c86c
python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6dc5678273
python-rsa-3.4.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
python-rsa-3.4.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
python-rsa-3.4.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
python-rsa-3.4.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
python-rsa-3.4.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.