Debian DLA-1283-2 : python-crypto security update

High Nessus Plugin ID 106819

Synopsis

The remote Debian host is missing a security update.

Description

This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue described in CVE-2018-6594 is fixed. It turns out that the fix is partial and upstream has decided not to fix the issue as it would break compatibility and that ElGamal encryption was not intended to work on its own.

The recommendation is still to upgrade python-crypto packages. In addition please take into account that the fix is not complete. If you have an application using python-crypto is implementing ElGamal encryption you should consider changing to some other encryption method.

There will be no further update to python-crypto for this specific CVE. A fix would break compatibility, the problem has been ignored by regular Debian Security team due to its minor nature and in addition to that we are close to the end of life of the Wheezy security support.

CVE-2018-6594 :

python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack).

We recommend that you upgrade your python-crypto packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2018/04/msg00006.html

https://packages.debian.org/source/wheezy/python-crypto

Plugin Details

Severity: High

ID: 106819

File Name: debian_DLA-1283.nasl

Version: 3.4

Type: local

Agent: unix

Published: 2018/02/15

Modified: 2018/04/10

Dependencies: 12634

Risk Information

Risk Factor: High

Temporal Vector: CVSS2#E:POC/RL:U/RC:ND

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python-crypto, p-cpe:/a:debian:debian_linux:python-crypto-dbg, p-cpe:/a:debian:debian_linux:python-crypto-doc, p-cpe:/a:debian:debian_linux:python3-crypto, p-cpe:/a:debian:debian_linux:python3-crypto-dbg, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2018/04/09