Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stop depending on pycrypto #54115

Closed
JanZerebecki opened this issue Aug 5, 2019 · 3 comments · Fixed by #56625
Closed

stop depending on pycrypto #54115

JanZerebecki opened this issue Aug 5, 2019 · 3 comments · Fixed by #56625
Assignees
@JanZerebecki
Labels
Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Core relates to code central or existential to Salt Feature new functionality including changes to functionality and code refactors, etc. ZRelease-Sodium retired label
Milestone
Approved

Comments

@JanZerebecki
Copy link
Contributor

Description of Issue

PyCrypto is unmaintained and has open security issues. This was already reported in e.g. #52674 but it is currently closed.

Steps to Reproduce Issue

Run pip download salt and check if it mentions pycrypto. It currently does, but it should not. It currently comes from https://github.com/saltstack/salt/blob/develop/requirements/zeromq.txt .

Versions Report

Checked for 2019.2.0 via pip, and on branch develop by inspecting the above file.
JanZerebecki added a commit to JanZerebecki/salt that referenced this issue Aug 5, 2019
@JanZerebecki
replace pycrypto with pycryptodomex
23c6f35 
pycrypto is unmaintained and has open security issues.

Fixes: saltstack#54115
@JanZerebecki JanZerebecki mentioned this issue Aug 5, 2019
Closed
@twangboy twangboy added Feature new functionality including changes to functionality and code refactors, etc. Core relates to code central or existential to Salt team-core labels Aug 6, 2019
@twangboy twangboy added this to the Approved milestone Aug 6, 2019
@twangboy twangboy assigned twangboy and JanZerebecki and unassigned twangboy Aug 6, 2019
@JanZerebecki JanZerebecki mentioned this issue Aug 16, 2019
Closed
JanZerebecki added a commit to JanZerebecki/salt that referenced this issue Aug 16, 2019
@JanZerebecki
replace pycrypto with pycryptodomex
8d3c2fe 
pycrypto is unmaintained and has open security issues.

Fixes: saltstack#54115
JanZerebecki added a commit to JanZerebecki/salt that referenced this issue Aug 17, 2019
@JanZerebecki
replace pycrypto with pycryptodomex
0bf3df2 
pycrypto is unmaintained and has open security issues.

Fixes: saltstack#54115
@JanZerebecki JanZerebecki mentioned this issue Aug 17, 2019
Closed
@stale
Copy link

stale bot commented Jan 8, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Jan 8, 2020
@sagetherage sagetherage added the Confirmed Salt engineer has confirmed bug/feature - often including a MCVE label Jan 9, 2020
@stale
Copy link

stale bot commented Jan 9, 2020

Thank you for updating this issue. It is no longer marked as stale.

@stale stale bot removed the stale label Jan 9, 2020
@OrangeDog
Copy link
Contributor

Note that OS packages (e.g. python3-crypto) should already have the security issues patched on currently-supported systems.

@s0undt3ch s0undt3ch mentioned this issue Apr 13, 2020
Merged
@sagetherage sagetherage added the ZRelease-Sodium retired label label May 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JanZerebecki JanZerebecki

Labels
Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Core relates to code central or existential to Salt Feature new functionality including changes to functionality and code refactors, etc. ZRelease-Sodium retired label
Projects
None yet
Milestone
Approved
4 participants
@OrangeDog @JanZerebecki @twangboy @sagetherage