Date: Mon, 19 Oct 2015 15:39:52 -0400 From: Larry Cashdollar <larry0@...com> To: Open Security <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: Re: CVE request for sqlalchemy-utils I stopped asking. From: <robert@...ert.io> Reply-To: Open Security <oss-security@...ts.openwall.com> Date: Sunday, October 18, 2015 at 3:21 PM To: Open Security <oss-security@...ts.openwall.com> Cc: <cve-assign@...re.org> Subject: Re: [oss-security] CVE request for sqlalchemy-utils I've been told I should check-in after a couple of weeks without a response. Is there any more information I can provide to help you make a decision? >From the discussion on the bug tracker, this was a design decision, but at least some users of the library weren't aware of it. As far as I know it wasn't / isn't documented. I noticed the issue when reviewing the code for Netflix's Lemur tool and they were not previously aware of the issue: https://github.com/Netflix/lemur/issues/117 - Robert On Tue, Oct 6, 2015, at 02:10 PM, robert@...ert.io wrote: > Description: I noticed that the sqlalchemy-utils package's EncryptedType > does not use a random IV when encrypting with AES in CBC mode. It > generates a SHA256 hash of the user's key and uses the first 16 bytes of > that hash as the IV (and the full hash as the encryption key). The > result is that for a given key, the IV will always be the same. > > Reported here: https://github.com/kvesteri/sqlalchemy-utils/issues/166 > Version: Current. I'm not sure what the version history of this package > looks like, though. > Reporter: Robert Picard > > Please assign a CVE if you feel it would be appropriate for this bug. > > - Robert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ