pycrypto 2.6.1 errors
162 views
Skip to first unread message
Mark Cummins
Dec 6, 2016, 6:41:40 AM12/6/16
to Google App Engine
The new Python SDK (1.9.49) includes pycrypto update to 2.6.1.
We've flipped over to the new library version, and we're now seeing errors like this:
11:28:31.524/base/data/home/runtimes/python27/python27_lib/versions/third_party/pycrypto-2.6.1/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
11:28:31.524 _warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
It looks like this is a platform problem with the new 1.9.49 SDK? Or are we doing something to cause this?
Nick (Cloud Platform Support)
Dec 15, 2016, 7:03:40 PM12/15/16
to Google App Engine
Hey Mark,
Usually, an issue like this should be reported to the Public Issue Tracker, but we can work on it here until something more concrete can develop to report. What command is producing this issue? Is this error message seen in production, or development? What operating system are you running?
Cheers,
Nick
Cloud Platform Community Support
Usually, an issue like this should be reported to the Public Issue Tracker, but we can work on it here until something more concrete can develop to report. What command is producing this issue? Is this error message seen in production, or development? What operating system are you running?
Cheers,
Nick
Cloud Platform Community Support
Nick (Cloud Platform Support)
Dec 20, 2016, 4:54:20 PM12/20/16
to Google App Engine
Hey Mark,
Any update on my last questions? Did you make a post to the Public Issue Tracker or would you like to keep corresponding here?
Any update on my last questions? Did you make a post to the Public Issue Tracker or would you like to keep corresponding here?
Cheers,
Nick
Cloud Platform Community Support
On Tuesday, December 6, 2016 at 6:41:40 AM UTC-5, Mark Cummins wrote:
Mark Cummins
Dec 22, 2016, 10:01:20 AM12/22/16
to Google App Engine
We see this issue in production. It happens whenever we import pycrypto. We couldn't find any solution, so we've reverted to the old version on the assumption that this is an SDK problem.
Attila-Mihaly Balazs
Dec 23, 2016, 12:27:09 AM12/23/16
to Google App Engine
@Mark: I'm a little bit confused since I don't think you can set the SDK version used by the app in production. Rather, it is always auto-upgraded to the latest.
It seems that the Python build used by Google uses an old(er) version of the GMP library. See this Ansible issue for more details: https://github.com/ansible/ansible/issues/6941#issuecomment-89255641
There is also a suggestion on how to mute the warnings temporarily:
```
from Crypto.pct_warnings import PowmInsecureWarning
import warnings
warnings.simplefilter("ignore", PowmInsecureWarning)
```
Happy Holidays!
Attila
It seems that the Python build used by Google uses an old(er) version of the GMP library. See this Ansible issue for more details: https://github.com/ansible/ansible/issues/6941#issuecomment-89255641
There is also a suggestion on how to mute the warnings temporarily:
```
from Crypto.pct_warnings import PowmInsecureWarning
import warnings
warnings.simplefilter("ignore", PowmInsecureWarning)
```
Happy Holidays!
Attila
Mark Cummins
Dec 23, 2016, 7:35:45 AM12/23/16
to Google App Engine
@Mark: I'm a little bit confused since I don't think you can set the SDK version used by the app in production. Rather, it is always auto-upgraded to the latest.
Ah, no, I mean that we reverted to the old PyCrypto version, rather than the SDK version.
Thank you very much for the workaround.
Best,
Mak
Adam (Cloud Platform Support)
Dec 25, 2016, 1:40:40 PM12/25/16
to Google App Engine
This has been acknowledged and an issue has been filed in the tracker:
Reply all
Reply to author
Forward
0 new messages