Hi Stefano, On Sat, Oct 29, 2022 at 01:58:48PM +0200, Stefano Rivera wrote: > Source: pysha3 > Version: 1.0.2-4.2 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > Forwarded: https://github.com/tiran/pysha3/issues/29 > > pysha3 is affected by CVE-2022-37454, a security issue in Keccak > See: https://github.com/python/cpython/issues/98517 > https://mouha.be/sha-3-buffer-overflow/ > > This is a backport module to bring a feature from Python 3.6 back to > older versions. > > It seems very dead upstream, should we just remove it from the archive? > > There is currently one reverse-dependency, python-opentimestamps, and I > think we can trivially migrate that to use hashlib.
Probably a good idea, if we can have that happen in time for bookworm. Will you work on the reverse dependency to make it possible and then request the removal for src:pysha3? Regards, Salvatore
