sflvault requires the unmaintained pycrypto library

[Apteryks]

There's at least one CVE which has gone unfixed, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6594. The corresponding (unfixed) issue is pycrypto/pycrypto#253.

There's an actively maintained forked of pycrypto which is https://github.com/Legrandin/pycryptodome, but it removed rather than fixed the support for ElGamal encryption/decryption that sflvault relies on, so migration is non trivial.

Also see https://www.chenweikeng.com/elgamal.html and the question here: Legrandin/pycryptodome#504.

[Apteryks]

The CVE linked above seems to only affects applications not using hybrid (public/private) crypto, which sflvault does, so it should be safe, FWIW.

[maximeconnolly]

There is actually some hybrid crypto going on in the background deep somewhere if my memories serve because back when I used to work at SFL, we actually did talk about that CVE more than once.

There is no way to go forward since pycryptodome has no support for ElGamal.

[Apteryks]

@maximest-pierre Thanks for tipping in. The author of pycryptodome points to RSA as a suitable replacement for ElGamal; we should evaluate how complex a transition to it would be.