[ubuntu-dev] Bug#693372: ubuntu-dev-tools: requestsync fails "ValueError: IV must be 16 bytes long"
Michael Bienia
michael at bienia.de
Wed Jan 2 13:47:14 UTC 2013
On 2013-01-02 14:34:58 +0100, Sebastian Ramacher wrote:
> On 2013-01-02 12:35:36, Michael Bienia wrote:
> > 1: There would be an other option: to undo the change in python-crypto
> > which enforces an non-empty IV but it's not a sane option security-wise.
>
> NACK with my python-crypto maintainer hat on. I'm not opening this can
> of worms again. One CVE because of that is already one to much.
I didn't expect that this solution would be acceptable and would be
surprised if it would have become the chosen solution (I just listed it
for completeness) as it would re-open a bug and mask an other bug in
python-keyring instead of fixing it.
Michael
More information about the ubuntu-dev-team
mailing list