oss-sec mailing list archives
Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request)
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 01 May 2012 12:51:16 +0200
* Vincent Danen:
And you can group by encrypted column values in the database. That's why I'm not sure if it's actually possible to address this issue in a satisfying manner.So the encryption can be more fine-grained than just per-table? You can also do it per-column? If that's the case, this does sound a lot uglier to deal with.
This test case suggests to me that you have to specify the list of encrypted columns explicitly: <http://elixir.ematia.de/trac/browser/elixir/trunk/tests/test_encryption.py> Based on this example, it's not clear to me if the current implementation supports get_by with an encrypted column. If this is a feature which needs preserving, there is no apparent way around convergent encryption.
Current thread:
- weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 27)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (Apr 28)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 30)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (May 01)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (May 01)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (May 02)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 30)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (Apr 28)