lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). External References: https://github.com/TElgamal/attack-on-pycrypto-elgamal https://github.com/Legrandin/pycryptodome/issues/90 Upstream Issue: https://github.com/dlitz/pycrypto/issues/253
Created python-crypto tracking bugs for this issue: Affects: epel-all [bug 1542315] Affects: fedora-all [bug 1542314]
The Red Hat OpenStack packages that use functionality from the python-crypto libraries do not use the ElGamal functionality. Whilst the python-crypto code shipped is vulnerable, the vulnerable functionality is not used. Therefore, the Red Hat OpenStack python-crypto package will not be fixed at this stage.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-6594