On Wed, Jan 16, 2013 at 3:02 PM, Sebastian Ramacher <sramac...@debian.org> wrote: > On 2013-01-02 14:34:58, Sebastian Ramacher wrote: >> On 2013-01-02 12:35:36, Michael Bienia wrote: >> > On 2012-12-30 18:40:23 -0800, Vincent Cheng wrote: >> > Hi, >> > >> > > Michael: the reason why python-keyring can't migrate to testing right >> > > now is because Debian is in freeze, and updates such as new upstream >> > > releases don't comply with the freeze policy [1]. Is there a way to >> > > fix this bug with the current version of python-keyring in testing >> > > instead? >> > >> > There is no other way than to "fix" (by either backporting the fix or >> > allowing python-keyring to migrate) python-keyring in testing[1]. The >> > current python-keyring from testing doesn't (partly) work with >> > python-crypto from testing as python-keyring from testing uses an empty >> > initialisation vector for the cypher to encrypt the keyring. Older >> > version of python-crypto wrongly allowed this but it got fixed in >> > python-crypto 2.6 which migrated to testing while a fixed python-keyring >> > didn't. >> > >> > So someone needs to talk to the release team and security team how to >> > resolve the current situation regarding python-keyring by either >> > backporting the fix from python-keyring 0.9.1 to 0.7.1 or letting >> > python-keyring migrate: >> >> I'll check if the changes are easily backportable. There is also another >> CVE that is unfixed in wheezy. > > python-keyring 0.7.1-1+deb7u1 is now available in wheezy and all issues > with the newer python-crypto should be fixed. >
Thanks! I can confirm that requestbackport works as intended now with the current versions of python-keyring and -crypto in wheezy. Regards, Vincent -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org