oss-sec mailing list archives
ANN: Beaker 1.6.4 released with important security update
From: Ben Bangert <ben () groovie org>
Date: Mon, 13 Aug 2012 15:26:43 -0700
Beaker is a high-level Python library providing caching and sessions for use in web applications. The session implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto. Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this flaw, thanks! CVE-2012-3458 Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5 Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones. Changelog for this release: * Fix bug with key_length not being coerced to a int for comparison. Patch by Greg Lavallee. * Fix bug with cookie invalidation not clearing the cookie data. Patch by Vasiliy Lozovoy. * Added ability to pass in cookie_path for the Session. Patch by Marcin Kuzminski. * Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat. * Fix security bug with pycrypto not securing data such that an attacker could possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_. * Add ability to specify schema for database-backed sessions. Patch by Vladimir Tananko. * Fix issue with long key names in memcached backend. Patch by Guillaume Taglang. Cheers, Ben
Current thread:
- ANN: Beaker 1.6.4 released with important security update Ben Bangert (Aug 13)