Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Oct 2015 15:39:52 -0400
From: Larry Cashdollar <>
To: Open Security <>
Subject: Re: CVE request for sqlalchemy-utils

I stopped asking.

From:  <>
Reply-To:  Open Security <>
Date:  Sunday, October 18, 2015 at 3:21 PM
To:  Open Security <>
Cc:  <>
Subject:  Re: [oss-security] CVE request for sqlalchemy-utils

I've been told I should check-in after a couple of weeks without a
response. Is there any more information I can provide to help you make a

>From the discussion on the bug tracker, this was a design decision, but
at least some users of the library weren't aware of it. As far as I know
it wasn't / isn't documented. I noticed the issue when reviewing the
code for Netflix's Lemur tool and they were not previously aware of the
- Robert

On Tue, Oct 6, 2015, at 02:10 PM, wrote:
>  Description: I noticed that the sqlalchemy-utils package's EncryptedType
>  does not use a random IV when encrypting with AES in CBC mode. It
>  generates a SHA256 hash of the user's key and uses the first 16 bytes of
>  that hash as the IV (and the full hash as the encryption key). The
>  result is that for a given key, the IV will always be the same.
>  Reported here:
>  Version: Current. I'm not sure what the version history of this package
>  looks like, though.
>  Reporter: Robert Picard
>  Please assign a CVE if you feel it would be appropriate for this bug.
>  - Robert

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ