PyCrypto: Weak key generation — GLSA 202007-62

A flaw in PyCrypto allow remote attackers to obtain sensitive information.

Affected packages

dev-python/pycrypto on all architectures
Affected versions <= 2.6.1-r2
Unaffected versions

Background

PyCrypto is the Python Cryptography Toolkit.

Description

It was discovered that PyCrypto incorrectly generated ElGamal key parameters.

Impact

Attackers may be able to obtain sensitive information by reading ciphertext data.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for PyCrypto. We recommend that users unmerge PyCrypto:

# emerge --unmerge “dev-python/pycrypto”

NOTE: The Gentoo developer(s) maintaining PyCrypto have discontinued support at this time. PyCryptodome is the canonical successor to PyCrypto.

References

Release date
July 31, 2020

Latest revision
July 31, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries