-
Notifications
You must be signed in to change notification settings - Fork 636
Is Pycrypto maintained? #285
Comments
Of course it's been unmaintained for more than 5 years. People should use pycryptodome instead (which is a plug-in API-compatible replacement) - |
Not, it's not: see #173 and numerous other issues. Yet it still shows up as the top recommendation for Python libraries in the space: Shame that the author hasn't put more prominent disclosure of this out there. |
I could not find any direct imports in aplinux.distribution or our code base, using PyCharm's full solution search (though plenty of self-referential imports and an 'adapted from Crypto.Util.number' comment in paramiko.util.inflate_long). It was last updated in 2013, and has been generally superseded in the community by cryptography (or to a lesser extent PyCryptodome). https://pypi.org/project/pycrypto/ https://pypi.org/project/cryptography/ https://pypi.org/project/pycryptodome/ Also has an exploitable buffer overflow and likely multiple CVEs: pycrypto/pycrypto#173 (comment) pycrypto/pycrypto#285
Unfortunately some of the features have been dropped in pycryptodome (e.g., blinding), so this library still keeps to show up as result number 1. |
If it's not maintained may it be transferred to @abandonware to apply CVE fixes |
I'd like to confirm that Pycrypto is in fact unmaintained.
I believe the last release was 2.6.1 from October, 2013 (based on what's on https://www.dlitz.net/software/pycrypto/). I think it is vulnerable to CVE-2013-7459 and CVE-2018-6594.
My concern is that many people are using a vulnerable package. On pypi.org, it is currently about #239 on the most-downloaded package list from the last 30 days. There were 1.5M downloads in the last 30 days (https://pypistats.org/packages/pycrypto). It is required by many other packages, so many people are using Pycrypto without being aware.
The text was updated successfully, but these errors were encountered: