[ubuntu-dev] Bug#693372: ubuntu-dev-tools: requestsync fails "ValueError: IV must be 16 bytes long"
Sebastian Ramacher
sramacher at debian.org
Wed Jan 16 23:02:43 UTC 2013
On 2013-01-02 14:34:58, Sebastian Ramacher wrote:
> On 2013-01-02 12:35:36, Michael Bienia wrote:
> > On 2012-12-30 18:40:23 -0800, Vincent Cheng wrote:
> > Hi,
> >
> > > Michael: the reason why python-keyring can't migrate to testing right
> > > now is because Debian is in freeze, and updates such as new upstream
> > > releases don't comply with the freeze policy [1]. Is there a way to
> > > fix this bug with the current version of python-keyring in testing
> > > instead?
> >
> > There is no other way than to "fix" (by either backporting the fix or
> > allowing python-keyring to migrate) python-keyring in testing[1]. The
> > current python-keyring from testing doesn't (partly) work with
> > python-crypto from testing as python-keyring from testing uses an empty
> > initialisation vector for the cypher to encrypt the keyring. Older
> > version of python-crypto wrongly allowed this but it got fixed in
> > python-crypto 2.6 which migrated to testing while a fixed python-keyring
> > didn't.
> >
> > So someone needs to talk to the release team and security team how to
> > resolve the current situation regarding python-keyring by either
> > backporting the fix from python-keyring 0.9.1 to 0.7.1 or letting
> > python-keyring migrate:
>
> I'll check if the changes are easily backportable. There is also another
> CVE that is unfixed in wheezy.
python-keyring 0.7.1-1+deb7u1 is now available in wheezy and all issues
with the newer python-crypto should be fixed.
Cheers
--
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/ubuntu-dev-team/attachments/20130117/48da7e02/attachment.pgp>
More information about the ubuntu-dev-team
mailing list