[ubuntu-dev] Bug#693372: ubuntu-dev-tools: requestsync fails "ValueError: IV must be 16 bytes long"
Vincent Cheng
vincentc1208 at gmail.com
Thu Jan 17 06:17:40 UTC 2013
On Wed, Jan 16, 2013 at 3:02 PM, Sebastian Ramacher
<sramacher at debian.org> wrote:
> On 2013-01-02 14:34:58, Sebastian Ramacher wrote:
>> On 2013-01-02 12:35:36, Michael Bienia wrote:
>> > On 2012-12-30 18:40:23 -0800, Vincent Cheng wrote:
>> > Hi,
>> >
>> > > Michael: the reason why python-keyring can't migrate to testing right
>> > > now is because Debian is in freeze, and updates such as new upstream
>> > > releases don't comply with the freeze policy [1]. Is there a way to
>> > > fix this bug with the current version of python-keyring in testing
>> > > instead?
>> >
>> > There is no other way than to "fix" (by either backporting the fix or
>> > allowing python-keyring to migrate) python-keyring in testing[1]. The
>> > current python-keyring from testing doesn't (partly) work with
>> > python-crypto from testing as python-keyring from testing uses an empty
>> > initialisation vector for the cypher to encrypt the keyring. Older
>> > version of python-crypto wrongly allowed this but it got fixed in
>> > python-crypto 2.6 which migrated to testing while a fixed python-keyring
>> > didn't.
>> >
>> > So someone needs to talk to the release team and security team how to
>> > resolve the current situation regarding python-keyring by either
>> > backporting the fix from python-keyring 0.9.1 to 0.7.1 or letting
>> > python-keyring migrate:
>>
>> I'll check if the changes are easily backportable. There is also another
>> CVE that is unfixed in wheezy.
>
> python-keyring 0.7.1-1+deb7u1 is now available in wheezy and all issues
> with the newer python-crypto should be fixed.
>
Thanks! I can confirm that requestbackport works as intended now with
the current versions of python-keyring and -crypto in wheezy.
Regards,
Vincent
More information about the ubuntu-dev-team
mailing list