X2Go Bug report logs - #646
PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Michael DePaulo <mikedep333@gmail.com>

To: submit@bugs.x2go.org

Subject: PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

Date: Mon, 20 Oct 2014 09:18:09 -0400

package: pyhoca-gui
version: 0.5.0.0-pre02

NOTE: This bug is specifically about the Windows builds of PyHoca-GUI.

When I built PyHoca-GUI 0.5.0.0-pre02 for for Windows, I used the
latest Windows build of PyCrypto, 2.6, available here (and linked to
from the wiki):
http://www.voidspace.org.uk/python/modules.shtml#pycrypto

Unfortunately, there is a vulnerability (CVE-2013-1445) in 2.6. 2.6.1
was released to fix it:
https://github.com/dlitz/pycrypto/blob/7fd528d03b5eae58eef6fd219af5d9ac9c83fa50/ChangeLog

I am attempting to find a Windows build of PyCrypto 2.6.1 for Python
2.7 32-bit. This is blocking my release of PyHoca-GUI 0.5.0.0 for
Windows. if I cannot find one, I will try to build PyCrypto 2.6.1
myself. I welcome any help.

-Mike#2

Message #10 received at 646@bugs.x2go.org (full text, mbox, reply):

From: Michael DePaulo <mikedep333@gmail.com>

To: 646@bugs.x2go.org

Subject: Found a build!

Date: Mon, 20 Oct 2014 09:34:35 -0400

http://blog.tkbe.org/archive/pre-compiled-binaries-for-pycrypto-2-6-1-py27-on-win7/

In case that blog ever goes down, here are the direct links and md5sums:

https://www.dropbox.com/s/8kf7vrlc59bxqi3/pycrypto-2.6.1-cp27-none-win32.whl?dl=0
aa791ce84cc2713f468fcc759154f47f

https://www.dropbox.com/s/nd6h6ay0z4u6u0o/pycrypto-2.6.1.win32-py2.7.exe?dl=0
1a8cec46705cc83fcd77d24b6c9d079c

Message #15 received at 646@bugs.x2go.org (full text, mbox, reply):

From: Mike DePaulo <mikedep333@gmail.com>

To: 646-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 646@bugs.x2go.org

Subject: X2Go issue (in src:pyhoca-gui) has been marked as pending for release

Date: Sat, 24 Jan 2015 21:04:15 +0100 (CET)

tag #646 pending
fixed #646 0.5.0.4
thanks

Hello,

X2Go issue #646 (src:pyhoca-gui) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=pyhoca-gui.git;a=commitdiff;h=06284de

The issue will most likely be fixed in src:pyhoca-gui (0.5.0.4).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 06284de76076ac1cd27b7a979ca7087498e41f40
Author: Mike DePaulo <mikedep333@gmail.com>
Date:   Sat Jan 24 15:03:49 2015 -0500

    Update changelog about Python (lib) updates

diff --git a/debian/changelog b/debian/changelog
index 3b15a2e..6decc15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,9 @@ pyhoca-gui (0.5.0.4-0x2go1) UNRELEASED; urgency=medium
     - Windows: Update nxproxy's Cygwin libraries from the
       latest versions as of 2014-06-09 to the
       latest versions as of 2014-10-18.
+    - Windows: Update python from 2.7.8 to 2.7.9
+    - Windows: Update bundled Python libraries to latest versions
+      as of 2015-01-24 (Fixes: #646)
 
  -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de>  Thu, 27 Nov 2014 12:34:20 +0100
 

Message #27 received at 646@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 646-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 646@bugs.x2go.org

Subject: X2Go issue (in src:pyhoca-gui) has been marked as closed

Date: Sun, 25 Jan 2015 13:10:37 +0100 (CET)

close #646
thanks

Hello,

we are very hopeful that X2Go issue #646 reported by you
has been resolved in the new release (0.5.0.4) of the
X2Go source project »src:pyhoca-gui«.

You can view the complete changelog entry of src:pyhoca-gui (0.5.0.4)
below, and you can use the following link to view all the code changes
between this and the last release of src:pyhoca-gui.

    http://code.x2go.org/gitweb?p=pyhoca-gui.git;a=commitdiff;h=513509dcb4ef0552feb1ddaa33f2a86834606499;hp=7a414287b6ead1e4c40d6678d7d82541d267b1a9

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:pyhoca-gui.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:pyhoca-gui
Version: 0.5.0.4-0x2go1
Status: RELEASE
Date: Sun, 25 Jan 2015 13:08:20 +0100
Fixes: 108 646 649
Changes: 
 pyhoca-gui (0.5.0.4-0x2go1) RELEASED; urgency=medium
 .
   [ Mike Gabriel ]
   * New upstream version (0.5.0.4):
     - Provide empty Turkish translation file.
 .
   [ Mark Pedersen-Cook ]
   * New upstream version (0.5.0.4):
     - Update Danish translation file. Thanks to Niels Thykier for feedback.
 .
   [ Kaan Ozdincer ]
   * New upstream version (0.5.0.4):
     - Add Turkish translation to PyHoca-GUI.
 .
   [ Mike DePaulo ]
   * New upstream version (0.5.0.4):
     - Fix win32 build (missing win32gui.pyd) (Fixes: #649)
     - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font
       groups optional: misc, 75dpi, 100dpi and others (Fixes: #108)
       Note: The fact that all the fonts are included makes the installer about
       30MB larger.
     - Windows: Upgrade from VcXsrv-xp 1.14.3.2 to
       VcXsrv 1.15.2.2-xp+vc2013+x2go1
       This new major version includes security fixes such as:
       OpenSSL update to 1.0.1k
       xorg-server CVE-2014-8091..8103 fixes
     - Windows: Update nxproxy's Cygwin libraries from the
       latest versions as of 2014-06-09 to the
       latest versions as of 2014-10-18.
     - Windows: Update bundled Python to 2.7.9
     - Windows: Update bundled Python libraries to latest versions
       as of 2015-01-24 (Fixes: #646)

Send a report that this bug log contains spam.