A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell. References: http://seclists.org/oss-sec/2016/q4/760 https://pony7.fr/ctf:public:32c3:cryptmsg Upstream bug: https://github.com/dlitz/pycrypto/issues/176
Is EL-6's python-cryoto package not affected by this?
Whoops, typo there, I meant python-crypto.
Hi, Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled?? Thanks in advance.
There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon. The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.
(In reply to Paul Howarth from comment #4) > There is no upstream release containing a fix for this issue, and there's no > real prospect of there being one any time soon. > > The lack of a fix for this is leading many other projects to move away from > python-crypto (pycrypto) to other libraries such as python-cryptography > instead. Tku for the prompt reply
RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.
kseifried advised that RHUI is unaffected.