ANN: Beaker 1.6.4 released with important security update

[Ben Bangert <ben () groovie org>]

Beaker is a high-level Python library providing caching and sessions for use in web applications. The session 
implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto.

Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with 
PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker 
to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this 
flaw, thanks!

CVE-2012-3458
Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5

Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones.

Changelog for this release:

* Fix bug with key_length not being coerced to a int for comparison. Patch by
  Greg Lavallee.
* Fix bug with cookie invalidation not clearing the cookie data. Patch by
  Vasiliy Lozovoy.
* Added ability to pass in cookie_path for the Session. Patch by Marcin
  Kuzminski.
* Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
* Fix security bug with pycrypto not securing data such that an attacker could
  possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of
  Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_.
* Add ability to specify schema for database-backed sessions. Patch by Vladimir
  Tananko.
* Fix issue with long key names in memcached backend. Patch by Guillaume
  Taglang.


Cheers,
Ben