#2094 closed defect (somebody else's problem)
rebuild (if necessary) PyCrypto eggs to use libgmp >= 5, to mitigate RSA timing attack
Reported by: | daira | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | undecided |
Component: | packaging | Version: | 1.10.0 |
Keywords: | pycrypto-lib libgmp rsa security sftp packaging eggs packaging | Cc: | |
Launchpad Bug: |
Description
The PyCrypto eggs at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs/ may need to be rebuilt against libgmp >= 5 in order to mitigate a timing attack. I don't know what libgmp versions the eggs currently hosted there are built against. See also #1586, which suppressed the (mostly useless to end-users) warning about this.
Change History (5)
comment:1 Changed at 2014-09-07T17:23:36Z by daira
- Keywords openitp-packaging added
comment:2 Changed at 2014-09-25T15:54:03Z by daira
- Keywords openitp-packaging removed
comment:3 Changed at 2016-03-25T20:29:40Z by daira
comment:4 Changed at 2016-03-25T20:31:01Z by daira
- Resolution set to somebody else's problem
- Status changed from new to closed
comment:5 Changed at 2016-03-27T13:20:32Z by daira
The Twisted ticket to stop depending on gmpy is https://twistedmatrix.com/trac/ticket/8079.
Note: See
TracTickets for help on using
tickets.
Twisted 16.0.0 removed their dependency on PyCrypto.
Note that the cryptography library still uses the Python stdlib's pow function when gmpy is not installed, and so 'may' be vulnerable to the same timing attack. gmpy is no longer maintained; cryptography should probably switch to gmpy2 which has binary wheels.