Jaimergp

**Name of the Vulnerable Software and Affected Versions** conda-smithy versions prior to 3.47.1 **Description** The issue results from the use of an outdated and insecure padding scheme during RSA encryption in the travis encrypt binstar token implementation. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. **Recommendations** For versions prior to 3.47.1, update to version 3.47.1 to resolve the issue. As a temporary workaround, consider restricting access to the travis encrypt binstar token implementation until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Conda-build versions prior to 25.3.0 **Description** The issue concerns a dependency injection vulnerability. Conda-build lists conda-index as a Python dependency in its pyproject.toml file. Since conda-index is not published in PyPI, an attacker could claim this namespace, upload malicious code, and exploit pip install commands by injecting the malicious dependency. **Recommendations** For versions prior to 25.3.0, update to version 25.3.0 to resolve the issue. As a temporary workaround, consider using the --no-deps option for pip install commands when installing the project from the repository.