"PowmInsecureWarning: Not using mpz_powm_sec" warning from PyCrypto #1586
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#1586
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This warning occurs when importing PyCrypto 2.4.1 (possibly depending on how the PyCrypto egg for the current platform was built):
We probably just need to accelerate the programme to get rid of our dependency (via Twisted) on PyCrypto: http://twistedmatrix.com/trac/ticket/4633
In changeset:4b80299fddd7ece4:
In changeset:4b80299fddd7ece4:
In changeset:5649/ticket999-S3-backend:
I reviewed changeset:4b80299fddd7ece4 and saw no problem with it.
This was apparently fixed by the warning-suppression patch [4b80299fddd7ece4].
Well, the potential timing vulnerability is not fixed. (It affects only the SFTP frontend, and is documented at wiki/SftpFrontend#Security, which I just updated to reflect that PyCrypto 2.4.1 is still vulnerable.)
As the message clearly says, someone "should rebuild [PyCrypto] using libgmp >= 5". Reopening in order to close as "somebody else's problem".
Actually, maybe this is partly our problem after all, since we build the PyCrypto eggs that are hosted at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs. Filed as #2094.