Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 31 Oct 2012 09:35:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Raphael Geissert <geissert@...ian.org>,
        Marc Deslauriers <marc.deslauriers@...onical.com>,
        coley@...us.mitre.org
Subject: Re: CVE Request: Python keyring

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2012 01:27 PM, Raphael Geissert wrote:
> On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
>> Hello,
>> 
>> Python keyring before 0.9.1 was using the user-supplied password 
>> insecurely.
>> 
>> From the 0.9.1 changelog:
>> 
>> CryptedFileKeyring now uses PBKDF2 to derive the key from the
>> user's password and a random hash. The IV is chosen randomly as
>> well. All the stored passwords are encrypted at once. Any
>> keyrings using the old format will be automatically converted to
>> the new format (but will no longer be compatible with 0.9 and
>> earlier). The user's password is no longer limited to 32
>> characters. PyCrypto 2.5 or greater is now required for this
>> keyring.
>> 
>> See:
>> 
>> http://pypi.python.org/pypi/keyring#id2 
>> https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
>
>> 
> Could a CVE id be assigned please?
> 
> Thanks,

Please use CVE-2012-4571 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkUUuAAoJEBYNRVNeJnmT31MP/Rtf0gogMeONxkrT/HV/TzdB
bdOtVsowwczBuRtGd1x1gH9x/IAtCLhjGUxD3ZOOE/7F5lUsD1C/RTqDzR2xNRhZ
XDaG3QKo0zBLMvwy1gVBFZbNNLaRqqWft8KniXWvATyXHHXmzfnLsuV9l/mzPVQS
n/8ARJs+p5SfNP6d0vyPTMlu04Juw7oo/VuMkSSSCnMQ79//rBS4zWlWC0itU5d0
BaEugmxaSxkM8Mk6hSM51zcieBShs/pnneJQfugnhowDwov7k/PqPXMjU/84bbLi
oT5LfZbqSFnhVLxHFocRScHu96rs1qKh/hjKbfPCaJNwpSp1IPHeHzhTNtincxIq
NHM7xQ/qa6A4yl5XZHX7jED9SX7Qrfe0KzaEkqr8zI9wIYwrVF1SgFO9GN/1V3yv
CkdC9EEh6s+etKHwnVlrzd9aFTM/A9u44vDvrD8tlAK3WEzsWrqN6SbGAd+8l4/l
Pr5Ys53WnT8ca7grxs9ezw5WRrqDcAQzGFfHs6ntJwF42/cIO4OO9l7WQPR5aTn1
LgOCsnHYm6tTnxI4Kg5YZ27wfDvr/62bRMZJt7O5r4PqttoML5EJr4T49vUiDg/J
93kHkQIJpwHgluNVxhv6kqd/zy3Pm5LSBrSt+5HW5sQsxqCqpO54IcuQV2cdssrZ
03A84K5389hgNQyU8aLK
=AOwV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ