As we are still seeing a lot of applications depending on the Python Cryptography Toolkit (aka pycrypto) to manage their cryptography, this is a quick reminder to stop using it.
The vulnerability
Pycrypto is vulnerable to a heap-based buffer overflow in the ALGnew function in block_templace.c. It allows remote attackers to execute arbitrary code in the python application. It was assigned the CVE-2013-7459 number.
Pycrypto didn’t release any fix to that vulnerability and no commit was made to the project since Jun 20, 2014.
Pycryptodome to the rescue
Pycryptodome is a drop-in replacement for the PyCrypto library. Just ‘pip install pycryptodome’ and you’re good to go.
Update your requirements.txt now
Update your requirements.txt file now and also make sure none of your other library depends on pycrypto.
Does your application use this vulnerable package?
Subscribe
2 Comments
Oldest