CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code #195
Comments
|
I was referring to this section of readme: https://github.com/mpdavis/python-jose#cryptographic-backends |
|
@tomato42 thx! so this means that our security scanner is giving a false positive since we are install python-jose[cryptography] which doesnt use rsa. |
|
If you are using pip, and you are sure you might be able to workaround your security scanner by uninstalling python-rsa after installing python-jose: pip install 'python-jose[cryptography]' # will install python-jose with PyCrypto backend
pip uninstall ecdsa # You may need to pass a `--yes` or `--force` flag to `pip uninstall` to get it to skip asking for confirmation.If this works, it works because pip is not yet a full package manager - it does not ensure that installed packages don't conflict upon invocation, it only cares that it can successfully execute the immediate command. And it can install all of the dependencies for python-jose, and it can then uninstall python-rsa. At no point does it check that it left the virtualenv in a consistent state. The fix for this is to transition python-jose to only depend on external libraries via |
Hey guys,
There's a new high level risk vulnerability in the RSA python library that this repo uses. I'm not familiar with the fine details but is there any way for you guys to solve this in this repo?
There's an open issue in the rsa repo from 16 days ago but it seems that they are not going to fix it.
sybrenstuvel/python-rsa#165
He mentioned that "python-jose depends on python-rsa, but it will not use it if better libraries are available, you should use python-jose with pyca/cryptography, then python-rsa code will be unused and unexploitable".
Can you elaborate on this?
The text was updated successfully, but these errors were encountered: