Source: pysha3 Version: 1.0.2-4.2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Forwarded: https://github.com/tiran/pysha3/issues/29
pysha3 is affected by CVE-2022-37454, a security issue in Keccak See: https://github.com/python/cpython/issues/98517 https://mouha.be/sha-3-buffer-overflow/ This is a backport module to bring a feature from Python 3.6 back to older versions. It seems very dead upstream, should we just remove it from the archive? There is currently one reverse-dependency, python-opentimestamps, and I think we can trivially migrate that to use hashlib. SR