Your message dated Fri, 08 Jan 2016 15:57:49 +0000 with message-id <e1ahzqd-00046o...@franck.debian.org> and subject line Bug#796853: fixed in python-bcrypt 2.0.0-1 has caused the Debian Bug report #796853, regarding python-bcrypt: passlib says this library is broken to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 796853: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796853 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-bcrypt Version: 0.4-2+b1 Severity: grave Tags: security Justification: renders package unusable According to https://pythonhosted.org/passlib/history.html: "It will now issue a PasslibSecurityWarning if the active backend is vulnerable to the wraparound bug, and automatically enable a workaround (py-bcrypt is known to be vulnerable as of v0.4)." After running the tests, you get the following passlib warning: /«PKGBUILDDIR»/passlib/handlers/bcrypt.py:320: UserWarning: passlib.hash.bcrypt: Your installation of the 'pybcrypt' backend is vulnerable to the bsd wraparound bug, and should be upgraded or replaced with another backend (this warning will be fatal under passlib 1.7) "(this warning will be fatal under passlib 1.7)" % backend) python-bcrypt is py-bcrypt 0.4 https://pypi.python.org/pypi/py-bcrypt/0.4 The recommended library to use is bcrypt: https://pypi.python.org/pypi/bcrypt -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-bcrypt depends on: ii libc6 2.19-18 ii python 2.7.9-1 python-bcrypt recommends no packages. python-bcrypt suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: python-bcrypt Source-Version: 2.0.0-1 We believe that the bug you reported is fixed in the latest version of python-bcrypt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 796...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Stender <deb...@danielstender.com> (supplier of updated python-bcrypt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Jan 2016 15:07:04 +0100 Source: python-bcrypt Binary: python-bcrypt python3-bcrypt Architecture: source Version: 2.0.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Daniel Stender <deb...@danielstender.com> Description: python-bcrypt - password hashing library for Python python3-bcrypt - password hashing library for Python 3 Closes: 796853 803096 Changes: python-bcrypt (2.0.0-1) unstable; urgency=medium . [ Daniel Stender ] * New upstream release (Closes: #803096). * Switched upstream from py-bcrypt to pyuca/bcrypt (Closes: #796853). * deb/control: + changed Priority from "extra" to "optional". + added Daniel Stender to Uploaders. + added dh-python and python{,3}-cffi and to build depends. + bumped Standards-Version to 3.9.6 (no changes needed). + updated Homepage. + added Vcs-Git and Vcs-Browser. + removed extended infos in long description text concerning py-bcrypt, made short description easier, updated URI of the mentioned paper. * deb/copyright: + updated. + added Daniel Stender to copyright holders of debian/. * deb/rules: + added exports for DH_VERBOSE and DEB_BUILD_OPTIONS=nocheck. + build with Pybuild. + use override for dh_installdocs to contribute into both packages. * deb/watch: + watch bcrypt on Pypi. * Added: + deb/.git-dpm (Repo initialzed for Git-dpm). + deb/upstream/signing-key.asc. * Dropped: + deb/manpage and deb/python-bcrypt.1 (belonging to py-bcrypt). + deb/docs (using dh_installdocs in deb/rules). . [ Raphaël Hertzog ] * Add build-dependencies on python{3,}-pytest and python-six that will be useful once we have actual tests in the tarball. Checksums-Sha1: 2641a2c308736a9052ec06fb52e453ea372158bf 1938 python-bcrypt_2.0.0-1.dsc f135325b6893a5224ac3f55edde4f5379dc6de13 33416 python-bcrypt_2.0.0.orig.tar.xz edfc22b961aa07e6533aa1c47bec4f6e37e721f9 37856 python-bcrypt_2.0.0-1.debian.tar.xz Checksums-Sha256: 98268c68328a0a3f84853526aee0a901c2303a034c3df8d72d21f88e417163a6 1938 python-bcrypt_2.0.0-1.dsc 72099d8517f065e35c1ab93346200057d503fa417c81eb7483e8e5027074432f 33416 python-bcrypt_2.0.0.orig.tar.xz 46118260cf8ec80703cbeaf50a4c7fc0c4dc68c0996a31472db4894ff8a161c4 37856 python-bcrypt_2.0.0-1.debian.tar.xz Files: c5308bde08506579e7881d4788b671f4 1938 python optional python-bcrypt_2.0.0-1.dsc 0e221cb5872469f7387d305787916673 33416 python optional python-bcrypt_2.0.0.orig.tar.xz 36d87296b08b8ed4123dfd07e853b069 37856 python optional python-bcrypt_2.0.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Signed by Raphael Hertzog iQEcBAEBCAAGBQJWj8k/AAoJEAOIHavrwpq5s14IAIseLC2piwhse/sAw7XDSCJX 9KtLGLCpx3hW3CKA9wJB7u+LIGr15vjeIGVvxPNi3k2Tbt+P9VKEZUdTKtDA97IT MsGDhDb52YyAOR6T8m8Q7105giBR38yySy6A3tpL+0/49LZKtKHGJqlmsaV1MlqX jI/0v9Rdx3wB7zcwBPeouFJmtD24ETSdubmPfHRF4++QvMX9LvpfbBfzvNW6OsoM 7LrzVVg7SEfB+1+KIOqqaIoLXgCfcaW/wJE58g6ZwK2hmORCmwnSFtFHS6vl82jI DhtSIB0rZYUDGjB3KYGrKvGuoup2qAnuRWL4FrcQPdcjhmJqholl0IQ9Hl6YdvU= =ueL5 -----END PGP SIGNATURE-----
--- End Message ---
