X2Go Bug report logs - #646
PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

version graph

Package: pyhoca-gui; Maintainer for pyhoca-gui is X2Go Developers <x2go-dev@lists.x2go.org>; Source for pyhoca-gui is src:pyhoca-gui.

Reported by: Michael DePaulo <mikedep333@gmail.com>

Date: Mon, 20 Oct 2014 13:20:01 UTC

Severity: normal

Tags: pending

Found in version 0.5.0.0-pre02

Fixed in version 0.5.0.4

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#646; Package pyhoca-gui. (Mon, 20 Oct 2014 13:20:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 20 Oct 2014 13:20:01 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: submit@bugs.x2go.org
Subject: PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445
Date: Mon, 20 Oct 2014 09:18:09 -0400
package: pyhoca-gui
version: 0.5.0.0-pre02

NOTE: This bug is specifically about the Windows builds of PyHoca-GUI.

When I built PyHoca-GUI 0.5.0.0-pre02 for for Windows, I used the
latest Windows build of PyCrypto, 2.6, available here (and linked to
from the wiki):
http://www.voidspace.org.uk/python/modules.shtml#pycrypto

Unfortunately, there is a vulnerability (CVE-2013-1445) in 2.6. 2.6.1
was released to fix it:
https://github.com/dlitz/pycrypto/blob/7fd528d03b5eae58eef6fd219af5d9ac9c83fa50/ChangeLog

I am attempting to find a Windows build of PyCrypto 2.6.1 for Python
2.7 32-bit. This is blocking my release of PyHoca-GUI 0.5.0.0 for
Windows. if I cannot find one, I will try to build PyCrypto 2.6.1
myself. I welcome any help.

-Mike#2


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#646; Package pyhoca-gui. (Mon, 20 Oct 2014 13:35:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 20 Oct 2014 13:35:01 GMT) Full text and rfc822 format available.

Message #10 received at 646@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: 646@bugs.x2go.org
Subject: Found a build!
Date: Mon, 20 Oct 2014 09:34:35 -0400
http://blog.tkbe.org/archive/pre-compiled-binaries-for-pycrypto-2-6-1-py27-on-win7/

In case that blog ever goes down, here are the direct links and md5sums:

https://www.dropbox.com/s/8kf7vrlc59bxqi3/pycrypto-2.6.1-cp27-none-win32.whl?dl=0
aa791ce84cc2713f468fcc759154f47f

https://www.dropbox.com/s/nd6h6ay0z4u6u0o/pycrypto-2.6.1.win32-py2.7.exe?dl=0
1a8cec46705cc83fcd77d24b6c9d079c


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#646; Package pyhoca-gui. (Sat, 24 Jan 2015 20:05:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 24 Jan 2015 20:05:02 GMT) Full text and rfc822 format available.

Message #15 received at 646@bugs.x2go.org (full text, mbox):

From: Mike DePaulo <mikedep333@gmail.com>
To: 646-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 646@bugs.x2go.org
Subject: X2Go issue (in src:pyhoca-gui) has been marked as pending for release
Date: Sat, 24 Jan 2015 21:04:15 +0100 (CET)
tag #646 pending
fixed #646 0.5.0.4
thanks

Hello,

X2Go issue #646 (src:pyhoca-gui) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=pyhoca-gui.git;a=commitdiff;h=06284de

The issue will most likely be fixed in src:pyhoca-gui (0.5.0.4).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 06284de76076ac1cd27b7a979ca7087498e41f40
Author: Mike DePaulo <mikedep333@gmail.com>
Date:   Sat Jan 24 15:03:49 2015 -0500

    Update changelog about Python (lib) updates

diff --git a/debian/changelog b/debian/changelog
index 3b15a2e..6decc15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,9 @@ pyhoca-gui (0.5.0.4-0x2go1) UNRELEASED; urgency=medium
     - Windows: Update nxproxy's Cygwin libraries from the
       latest versions as of 2014-06-09 to the
       latest versions as of 2014-10-18.
+    - Windows: Update python from 2.7.8 to 2.7.9
+    - Windows: Update bundled Python libraries to latest versions
+      as of 2015-01-24 (Fixes: #646)
 
  -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Thu, 27 Nov 2014 12:34:20 +0100
 


Added tag(s) pending. Request was from Mike DePaulo <mikedep333@gmail.com> to control@bugs.x2go.org. (Sat, 24 Jan 2015 20:05:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions 0.5.0.4. Request was from Mike DePaulo <mikedep333@gmail.com> to control@bugs.x2go.org. (Sat, 24 Jan 2015 20:05:03 GMT) Full text and rfc822 format available.

Message sent on to Michael DePaulo <mikedep333@gmail.com>:
Bug#646. (Sat, 24 Jan 2015 20:05:03 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#646; Package pyhoca-gui. (Sun, 25 Jan 2015 12:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 25 Jan 2015 12:15:03 GMT) Full text and rfc822 format available.

Message #27 received at 646@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 646-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 646@bugs.x2go.org
Subject: X2Go issue (in src:pyhoca-gui) has been marked as closed
Date: Sun, 25 Jan 2015 13:10:37 +0100 (CET)
close #646
thanks

Hello,

we are very hopeful that X2Go issue #646 reported by you
has been resolved in the new release (0.5.0.4) of the
X2Go source project »src:pyhoca-gui«.

You can view the complete changelog entry of src:pyhoca-gui (0.5.0.4)
below, and you can use the following link to view all the code changes
between this and the last release of src:pyhoca-gui.

    http://code.x2go.org/gitweb?p=pyhoca-gui.git;a=commitdiff;h=513509dcb4ef0552feb1ddaa33f2a86834606499;hp=7a414287b6ead1e4c40d6678d7d82541d267b1a9

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:pyhoca-gui.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:pyhoca-gui
Version: 0.5.0.4-0x2go1
Status: RELEASE
Date: Sun, 25 Jan 2015 13:08:20 +0100
Fixes: 108 646 649
Changes: 
 pyhoca-gui (0.5.0.4-0x2go1) RELEASED; urgency=medium
 .
   [ Mike Gabriel ]
   * New upstream version (0.5.0.4):
     - Provide empty Turkish translation file.
 .
   [ Mark Pedersen-Cook ]
   * New upstream version (0.5.0.4):
     - Update Danish translation file. Thanks to Niels Thykier for feedback.
 .
   [ Kaan Ozdincer ]
   * New upstream version (0.5.0.4):
     - Add Turkish translation to PyHoca-GUI.
 .
   [ Mike DePaulo ]
   * New upstream version (0.5.0.4):
     - Fix win32 build (missing win32gui.pyd) (Fixes: #649)
     - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font
       groups optional: misc, 75dpi, 100dpi and others (Fixes: #108)
       Note: The fact that all the fonts are included makes the installer about
       30MB larger.
     - Windows: Upgrade from VcXsrv-xp 1.14.3.2 to
       VcXsrv 1.15.2.2-xp+vc2013+x2go1
       This new major version includes security fixes such as:
       OpenSSL update to 1.0.1k
       xorg-server CVE-2014-8091..8103 fixes
     - Windows: Update nxproxy's Cygwin libraries from the
       latest versions as of 2014-06-09 to the
       latest versions as of 2014-10-18.
     - Windows: Update bundled Python to 2.7.9
     - Windows: Update bundled Python libraries to latest versions
       as of 2015-01-24 (Fixes: #646)


Marked Bug as done Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 25 Jan 2015 12:15:07 GMT) Full text and rfc822 format available.

Notification sent to Michael DePaulo <mikedep333@gmail.com>:
Bug acknowledged by developer. (Sun, 25 Jan 2015 12:15:08 GMT) Full text and rfc822 format available.

Message sent on to Michael DePaulo <mikedep333@gmail.com>:
Bug#646. (Sun, 25 Jan 2015 12:15:10 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Mon, 23 Feb 2015 06:24:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Apr 18 10:33:50 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.