[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2013-1895 py-bcrypt 0.2 concurrency vulnerability (auth bypass)
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-03-26 5:58:48
Message-ID: 51513918.4090401 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So py-bcrypt 0.2 has a concurrency vulnerability that can lead to auth
bypass. I looked at the code diff between 0.2 and 0.3, looks ok.
https://pypi.python.org/pypi/py-bcrypt
Please use CVE-2013-1895 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJRUTkYAAoJEBYNRVNeJnmTXBcQALiB18nHUUBBxJjNJSENoEMh
vlHilYbylh755S5a1hQueWkD4JXY6YSXv5mraKgKDqUMEvUlucBeC/sG66tCOEF1
pxUqRNq2P88apmsdlwpB9N44gJNghXYkttz3NjDmIryYogePZRH06l1P73IF6lt+
LHMrly3uhbXzxxZ385BGsUnMYuLxb4l7EdO3HYppZb6UV9kAEbr2sGh6sipMig4O
o3LgvdIDPF8GkjEODS9EwpemE1kC1ce8Q7QmbpUWskGdPuRRM1Z/gy2MNLcqA+Cq
bu/ivdV73dZjMyCHIWo760xYCesdxGy9WLJXBCeGn6POK+7xgky5VphL9QS2CdeV
NVp83MdQYJrEThSiZn0Ckhhf3zEI8Elv3BRUcsof7DpiLAuoautz3QMgM8u7VSu/
yiyRe34+0FyG4VDV60zYyaVY7JH7rlJD9uS1ozJYyeZqtGR1zb4IsidtSx/xxkek
50YFG+vvY6sX1Je58uzogO8qvgUZRFXkzXtZEG2lk9yRp4SkTtrfKHWSOxcgPsP9
FYjf6o1f/JiG0gRuVIaMZleFbFccfnCUcOmj03yUyxJokZLm5fXBeBZw73kcIMxV
4tiLSGS7tO936HG8JV0FnW9NKYy1eqfiEi34An/z3mpQO7gezWVq7xyVdIj5TQF7
tZahCFy47MewIBtSbC9Z
=bbTJ
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic