Provide security advisory for PyCrypto #56095
Conversation
PyCrypto is broken, but comes with most distros. PyCryptodome(x) or M2Crypto are preferred. Fixes saltstack#56080
ghost
requested a review
from 
|
This looks pretty good, the pip download page is what I wrote in the ticket. I am not sure if that is a page I am familiar with unless that is the repo dot saltstack dot com. If it is that page, or another dot com page then we will put the same security wording there (once approved and merged) and review it as we stage then promote and that will be the 3. Please correct me if I am wrong @cachedout @dwoz @dmurphy18 @frogunder |
|
The README.rst file gets read in our setup.py, which... if I understand correctly, is what gets set in the package build that's uploaded to PyPI. At least that's how typical packages work |
|
got it, pypi = pip install page, I am all set |
|
Hi @waynew. Thanks for doing this! There are a few ways I think this could be improved:
It's not quite clear to me whether any packages in the repo will use pycrypto out of the box. I know that @dmurphy18 mentioned a few RHEL cases where a supported crypto library is used but just so I can understand are there any packages delivered from the Salt repo which would install a pycrypto dependency and not a supported crypto lib? Thanks again! |
|
@cachedout Here are the following platforms which still have pycrypto installed, noting that this was the same for the previous Salt 2019.2.3 release, therefore no change in what Salt was installing. Python 2: Python 3: Python 3 RHEL 7 and RHEL 8 utilize M2Crypto Will also adjust Python 2 & 3 Debian and Ubuntu to support minimum of pycryptodome in the next point release, where possible and time allowing. |
@dmurphy18 Thanks! This is very helpful! I just want to understand what you mean by the above statement. For each item in the list you provided, will an out-of-the-box install of the package from the Salt repo install pycrypto and use it as the default, assuming that neither m2crypto nor pycryptodome were previously installed? |
|
If I understand correctly, the |
|
see saltstack/salt-pack#724 And yes, clean box will install pycrypto, noting that as before in Salt releases that if pycryptodomex or M2crypto is present , then they will be used, order of preference: Lowest:. pycrypto This is unchanged from the last few years since I ported pycryptodomex to RHEL 7. |
Gotcha. But the end result in the same, no? That in cases for the machine listed above, stock installs of the Salt package on a clean machine result in Salt defaulting to using pycrypto during runtime. Is that correct? |
|
@cachedout Yes, unchanged from previous releases, for the last few years |
|
Thanks for the clarification. It seems like this notice needs to be expanded to a few other places. Would it make sense to put it in the repo? https://repo.saltstack.com/#ubuntu @waynew What do you think about putting up changes in those locations, correlating to the specific targets that @dmurphy18 has mentioned? |
This will help address comments on saltstack/salt#56095
|
@cachedout since each of those OS/pip install instructions come from the overall installation instructions I only added the warning to that. I've also opened a PR against bootstrap's readme to link to the hardening Salt docs. |
I'm not sure I understand. The front page of the documentation site links directly to the repo under the section "Installing Salt". Why wouldn't the per-distribution installation instructions which follow include this advisory?
I don't recall exactly, either, but if memory serves, this page might also be where users are directed to after filling out SaltStack's marketing collection form for downloading Salt.
Excellent! Thank you! |
|
https://docs.saltstack.com/en/latest/topics/installation/index.html links to the platform-specific pip instructions, e.g. For the repo.saltstack.com, I haven't touched those docs yet, but IIUC they're in another repo, right? It would be good to update those to warn that the platform ships a broken version of PyCrypto, which we will use, but we strongly recommend upgrading to something like pycryptodome, for instance. |
Yes, that is correct. I don't remember offhand where they are but @Ch3LL might remember.
Sounds good. Thanks! |
|
yeah @waynew feel free to reach out to me or @frogunder and we can point you in the right direction |
Fixes #56080
@cachedout @dmurphy18 @sagetherage @frogunder
Does this look reasonable? Anything I should add/take away/adjust?