[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Python keyring
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-10-31 15:35:10
Message-ID: 5091452E.8080306 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/30/2012 01:27 PM, Raphael Geissert wrote:
> On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
>> Hello,
>>
>> Python keyring before 0.9.1 was using the user-supplied password
>> insecurely.
>>
>> From the 0.9.1 changelog:
>>
>> CryptedFileKeyring now uses PBKDF2 to derive the key from the
>> user's password and a random hash. The IV is chosen randomly as
>> well. All the stored passwords are encrypted at once. Any
>> keyrings using the old format will be automatically converted to
>> the new format (but will no longer be compatible with 0.9 and
>> earlier). The user's password is no longer limited to 32
>> characters. PyCrypto 2.5 or greater is now required for this
>> keyring.
>>
>> See:
>>
>> http://pypi.python.org/pypi/keyring#id2
>> https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
>
>>
> Could a CVE id be assigned please?
>
> Thanks,
Please use CVE-2012-4571 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQkUUuAAoJEBYNRVNeJnmT31MP/Rtf0gogMeONxkrT/HV/TzdB
bdOtVsowwczBuRtGd1x1gH9x/IAtCLhjGUxD3ZOOE/7F5lUsD1C/RTqDzR2xNRhZ
XDaG3QKo0zBLMvwy1gVBFZbNNLaRqqWft8KniXWvATyXHHXmzfnLsuV9l/mzPVQS
n/8ARJs+p5SfNP6d0vyPTMlu04Juw7oo/VuMkSSSCnMQ79//rBS4zWlWC0itU5d0
BaEugmxaSxkM8Mk6hSM51zcieBShs/pnneJQfugnhowDwov7k/PqPXMjU/84bbLi
oT5LfZbqSFnhVLxHFocRScHu96rs1qKh/hjKbfPCaJNwpSp1IPHeHzhTNtincxIq
NHM7xQ/qa6A4yl5XZHX7jED9SX7Qrfe0KzaEkqr8zI9wIYwrVF1SgFO9GN/1V3yv
CkdC9EEh6s+etKHwnVlrzd9aFTM/A9u44vDvrD8tlAK3WEzsWrqN6SbGAd+8l4/l
Pr5Ys53WnT8ca7grxs9ezw5WRrqDcAQzGFfHs6ntJwF42/cIO4OO9l7WQPR5aTn1
LgOCsnHYm6tTnxI4Kg5YZ27wfDvr/62bRMZJt7O5r4PqttoML5EJr4T49vUiDg/J
93kHkQIJpwHgluNVxhv6kqd/zy3Pm5LSBrSt+5HW5sQsxqCqpO54IcuQV2cdssrZ
03A84K5389hgNQyU8aLK
=AOwV
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic