Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Oct 2012 13:27:28 -0600
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Marc Deslauriers <marc.deslauriers@...onical.com>,
 coley@...us.mitre.org
Subject: Re: CVE Request: Python keyring

On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
> Hello,
> 
> Python keyring before 0.9.1 was using the user-supplied password
> insecurely.
> 
> From the 0.9.1 changelog:
> 
> CryptedFileKeyring now uses PBKDF2 to derive the key from the user's
> password and a random hash. The IV is chosen randomly as well. All the
> stored passwords are encrypted at once. Any keyrings using the old
> format will be automatically converted to the new format (but will no
> longer be compatible with 0.9 and earlier). The user's password is no
> longer limited to 32 characters. PyCrypto 2.5 or greater is now required
> for this keyring.
> 
> See:
> 
> http://pypi.python.org/pypi/keyring#id2
> https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845

Could a CVE id be assigned please?

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.