X2Go Bug report logs - #646
PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.502 (Entity 5.502)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#646 closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 (X2Go issue (in src:pyhoca-gui) has been marked as closed)
Message-ID: <handler.646.c.142218787919911.notifdone@bugs.x2go.org>
References: <20150125121037.EFB1E5DB35@ymir.das-netzwerkteam.de>
X-X2go-PR-Keywords: pending
X-X2go-PR-Message: they-closed 646
X-X2go-PR-Package: pyhoca-gui
X-X2go-PR-Source: pyhoca-gui
Date: Sun, 25 Jan 2015 12:15:07 +0000
Content-Type: multipart/mixed; boundary="----------=_1422188108-24196-0"

[Message part 1 (text/plain, inline)]

This is an automatic notification regarding your Bug report
which was filed against the pyhoca-gui package:

#646: PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

It has been closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mike Gabriel <mike.gabriel@das-netzwerkteam.de> by
replying to this email.


-- 
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 646-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 646@bugs.x2go.org

Subject: X2Go issue (in src:pyhoca-gui) has been marked as closed

Date: Sun, 25 Jan 2015 13:10:37 +0100 (CET)

close #646
thanks

Hello,

we are very hopeful that X2Go issue #646 reported by you
has been resolved in the new release (0.5.0.4) of the
X2Go source project »src:pyhoca-gui«.

You can view the complete changelog entry of src:pyhoca-gui (0.5.0.4)
below, and you can use the following link to view all the code changes
between this and the last release of src:pyhoca-gui.

    http://code.x2go.org/gitweb?p=pyhoca-gui.git;a=commitdiff;h=513509dcb4ef0552feb1ddaa33f2a86834606499;hp=7a414287b6ead1e4c40d6678d7d82541d267b1a9

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:pyhoca-gui.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:pyhoca-gui
Version: 0.5.0.4-0x2go1
Status: RELEASE
Date: Sun, 25 Jan 2015 13:08:20 +0100
Fixes: 108 646 649
Changes: 
 pyhoca-gui (0.5.0.4-0x2go1) RELEASED; urgency=medium
 .
   [ Mike Gabriel ]
   * New upstream version (0.5.0.4):
     - Provide empty Turkish translation file.
 .
   [ Mark Pedersen-Cook ]
   * New upstream version (0.5.0.4):
     - Update Danish translation file. Thanks to Niels Thykier for feedback.
 .
   [ Kaan Ozdincer ]
   * New upstream version (0.5.0.4):
     - Add Turkish translation to PyHoca-GUI.
 .
   [ Mike DePaulo ]
   * New upstream version (0.5.0.4):
     - Fix win32 build (missing win32gui.pyd) (Fixes: #649)
     - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font
       groups optional: misc, 75dpi, 100dpi and others (Fixes: #108)
       Note: The fact that all the fonts are included makes the installer about
       30MB larger.
     - Windows: Upgrade from VcXsrv-xp 1.14.3.2 to
       VcXsrv 1.15.2.2-xp+vc2013+x2go1
       This new major version includes security fixes such as:
       OpenSSL update to 1.0.1k
       xorg-server CVE-2014-8091..8103 fixes
     - Windows: Update nxproxy's Cygwin libraries from the
       latest versions as of 2014-06-09 to the
       latest versions as of 2014-10-18.
     - Windows: Update bundled Python to 2.7.9
     - Windows: Update bundled Python libraries to latest versions
       as of 2015-01-24 (Fixes: #646)

[Message part 3 (message/rfc822, inline)]

From: Michael DePaulo <mikedep333@gmail.com>

To: submit@bugs.x2go.org

Subject: PyHoca-GUI for Windows 0.5.0.0-pre02 has PyCrypto 2.6.0 with CVE-2013-1445

Date: Mon, 20 Oct 2014 09:18:09 -0400

package: pyhoca-gui
version: 0.5.0.0-pre02

NOTE: This bug is specifically about the Windows builds of PyHoca-GUI.

When I built PyHoca-GUI 0.5.0.0-pre02 for for Windows, I used the
latest Windows build of PyCrypto, 2.6, available here (and linked to
from the wiki):
http://www.voidspace.org.uk/python/modules.shtml#pycrypto

Unfortunately, there is a vulnerability (CVE-2013-1445) in 2.6. 2.6.1
was released to fix it:
https://github.com/dlitz/pycrypto/blob/7fd528d03b5eae58eef6fd219af5d9ac9c83fa50/ChangeLog

I am attempting to find a Windows build of PyCrypto 2.6.1 for Python
2.7 32-bit. This is blocking my release of PyHoca-GUI 0.5.0.0 for
Windows. if I cannot find one, I will try to build PyCrypto 2.6.1
myself. I welcome any help.

-Mike#2

Send a report that this bug log contains spam.