Closed mitya57 closed 8 years ago
mitya57
commented
9 years ago The same applies to tlslite (another security-sensitive piece of software, affected by i.e. CVE-2014-3566, CVE-2013-0169 and CVE-2011-3389). There are two embedded copies of tlslite in the current git.
mitya57
commented
8 years ago Hum, I reported this bug in March, and haven't got a single response. I don't think this is how security issues should be treated, especially for something developed by Google. This package doesn't seem to be abandoned (last commit 2 weeks ago), and the bug in question isn't that difficult to fix (the easiest way would be to just drop the embedded stuff, as I suggested).
@aliafshar — any comments?
aliafshar
commented
8 years ago Yes, sorry, this library is really only in "accepts contributions" mode. I agree with you though, we should fix this. Can you help, please? Seems like a not-too-difficult change. BUT of course changing anything with a Python library this old can have many unwanted side effects.
mitya57
commented
8 years ago Ok, submitted as #36.
Gdata-python-client currently has a bundled copy of PyCrypto v2.0.1 (in
src/gdata/Crypto/). But the website says:There were also other vulnerabilities found, like CVE-2012-05-25 (insecure ElGamal key generation).
As PyCrypto is security-sensitive software, I think the best thing can be removing it from the Git/tarballs and tell users to use the version from PyPI instead.