Your message dated Wed, 11 Jan 2023 19:00:14 +0000 with message-id <e1pfgkc-006y2v...@fasolo.debian.org> and subject line Bug#1023030: fixed in pysha3 1.0.2-5 has caused the Debian Bug report #1023030, regarding pysha3: Affected by CVE-2022-37454, unmaintained, remove from Debian? to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pysha3 Version: 1.0.2-4.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Forwarded: https://github.com/tiran/pysha3/issues/29 pysha3 is affected by CVE-2022-37454, a security issue in Keccak See: https://github.com/python/cpython/issues/98517 https://mouha.be/sha-3-buffer-overflow/ This is a backport module to bring a feature from Python 3.6 back to older versions. It seems very dead upstream, should we just remove it from the archive? There is currently one reverse-dependency, python-opentimestamps, and I think we can trivially migrate that to use hashlib. SR
--- End Message ---
--- Begin Message ---Source: pysha3 Source-Version: 1.0.2-5 Done: Ben Finney <bign...@debian.org> We believe that the bug you reported is fixed in the latest version of pysha3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ben Finney <bign...@debian.org> (supplier of updated pysha3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 01 Nov 2022 16:11:42 +1100 Source: pysha3 Binary: python3-sha3 python3-sha3-dbgsym Architecture: source amd64 Version: 1.0.2-5 Distribution: unstable Urgency: medium Maintainer: Ben Finney <bign...@debian.org> Changed-By: Ben Finney <bign...@debian.org> Description: python3-sha3 - SHA-3 (Keccak) hash implementation — Python 3 Closes: 954470 1023030 Changes: pysha3 (1.0.2-5) unstable; urgency=medium . * The “Sarah Ratley” release. * Acknowledge non-maintainer upload “1.0.2-4.1”. Thanks to Emmanuel Arias for the upload. * Acknowledge non-maintainer upload “1.0.2-4.1+deb11u1”. Thanks to Stefano Rivera for the upload. * Use only supported Python versions in the AutoPkgTest. Closes: bug#954470. * Use the automatic package-name placeholder in AutoPkgTest definition. * debian/patches/CVE-2022-37454.integer-and-buffer-overflow.patch: * Correct Keccak implementation for an integer and buffer overflow. Closes: bug#1023030. * Correctly describe maintenance of this Debian source package. * Declare Debhelper compatibility level 13. * Declare conformance to “Standards-Version: 4.6.1”. No additional changes required. * Specify the commands for running the package test suite. * debian/patches/prioritise-setuptools.patch: * Prioritise the Setuptools implementation of Command. * Remove obsolete field from DEP-12 metadata. * Use the GitHub project URL as the Homepage field value. * Override false positive Lintian check for VCS-* field names. Checksums-Sha1: 0669057a77e4d115934d19aeae06f339f4c952ac 1998 pysha3_1.0.2-5.dsc 67b116442cc710ba25d5cc5288bcdfb4f76a3889 11536 pysha3_1.0.2-5.debian.tar.xz 6f11798dc6f48609459f083702ad435e2e8f22fc 8132 pysha3_1.0.2-5_amd64.buildinfo 7f98cc085911c35ca2950981115a407382e3abd2 103252 python3-sha3-dbgsym_1.0.2-5_amd64.deb 13712bd4fef1c9ceebdf5e98a0dd9829f65900c0 43384 python3-sha3_1.0.2-5_amd64.deb Checksums-Sha256: 1d435aa121e8b348b5f58b15f9b295ce13b8e55d3c4919bd2e88ffee759e064b 1998 pysha3_1.0.2-5.dsc 29db2a2cfca38eb01f956f489201a4ecdbc2c0adf4f35be77d1026bfc9d39202 11536 pysha3_1.0.2-5.debian.tar.xz 5070e37e50909c9a787459c0e589d21e3747c3d1d3cb6e21a89ce901e8a6163d 8132 pysha3_1.0.2-5_amd64.buildinfo 5cff284b5bb5ae4ef3372b103340146c08fcc930221f9b07b99137f0a9562d0c 103252 python3-sha3-dbgsym_1.0.2-5_amd64.deb b507dd181e8a2e8d05cb0509f46a941af7dc507136afe478bdee66a22d81bd0e 43384 python3-sha3_1.0.2-5_amd64.deb Files: 731620506a9c8287169b6e8fab87c0f1 1998 python optional pysha3_1.0.2-5.dsc 77cf3865b6d72d3d269fce6a41825418 11536 python optional pysha3_1.0.2-5.debian.tar.xz c1fcf3d083a758c66dd6165ad4de5b6d 8132 python optional pysha3_1.0.2-5_amd64.buildinfo 96fc8161689459a1e2e92980f93eccb3 103252 debug optional python3-sha3-dbgsym_1.0.2-5_amd64.deb 9ad96c65c853fc4d3d5d4a8f5d5b3875 43384 python optional python3-sha3_1.0.2-5_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEYVng8p4vpBLgeVxz+bRqrIRCDIIFAmNgs5MACgkQ+bRqrIRC DIJHGw//TykHC/+c0mvZJhFNaK0X1UmAsAMznRGqV+SqgzHE88SYn338ygDtNYdZ RybulbyDTboWSM/vmRSlDL4rZYiy7uEOJpPvRMzORa6M3ZEsg0mNN7NW34/gULJh ez+2A14dn5eqVlkRy7NjYcq1QSfdbPLIJMl9oP0Qzx7ackNiiWZaLE7E7k9i0BMy 1HF2Df6ovGL5vtMZB+Q59rXi7SiuKGoiVFxeX5iAveBzLtkIjN8h0iZifFXQEJMy zVMj6Kytz+RNHGNM//cOBB01NIi254c01L8F/BCyTfYWYdPVnc26BubONlTIrWzo r6WefZZ1VeSqyPrYhnOWL8EyKZzJqz7Kl728y59AXK384BxYzc750YYpbioDSUbX kV5H7CAE2q24yQNiDTDGHGPPHm87r8Gz5oos7JOR8CiTPlOqEUNUGEHuYVLXobUp 7q2JoKY3IEBQxgvCwmBw7rk1cU0Qp6FfmKWNjdJTmwO9EM9WzWa+PPKd3jZ2aXwc FT2xcTW9kEiDpeajlNEl879uj3iXkomrDh/zpzCErOtkZGZngRsvZT3ylD5V1Q8T tbAmVVkrOsYzo0mi25iesZsIha6s12gwQygpnQPVgmXg8OigpX4fK3v+Ysel3rld t2X/hOThcjrl46/FFtabEOYEpZd+Xjt973f8d2vF8TyM//fBLMI= =HE09 -----END PGP SIGNATURE-----
--- End Message ---
