oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2013-1895 py-bcrypt 0.2 concurrency vulnerability (auth bypass)

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 25 Mar 2013 23:58:48 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So py-bcrypt 0.2 has a concurrency vulnerability that can lead to auth
bypass. I looked at the code diff between 0.2 and 0.3, looks ok.

https://pypi.python.org/pypi/py-bcrypt

Please use CVE-2013-1895 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRUTkYAAoJEBYNRVNeJnmTXBcQALiB18nHUUBBxJjNJSENoEMh
vlHilYbylh755S5a1hQueWkD4JXY6YSXv5mraKgKDqUMEvUlucBeC/sG66tCOEF1
pxUqRNq2P88apmsdlwpB9N44gJNghXYkttz3NjDmIryYogePZRH06l1P73IF6lt+
LHMrly3uhbXzxxZ385BGsUnMYuLxb4l7EdO3HYppZb6UV9kAEbr2sGh6sipMig4O
o3LgvdIDPF8GkjEODS9EwpemE1kC1ce8Q7QmbpUWskGdPuRRM1Z/gy2MNLcqA+Cq
bu/ivdV73dZjMyCHIWo760xYCesdxGy9WLJXBCeGn6POK+7xgky5VphL9QS2CdeV
NVp83MdQYJrEThSiZn0Ckhhf3zEI8Elv3BRUcsof7DpiLAuoautz3QMgM8u7VSu/
yiyRe34+0FyG4VDV60zYyaVY7JH7rlJD9uS1ozJYyeZqtGR1zb4IsidtSx/xxkek
50YFG+vvY6sX1Je58uzogO8qvgUZRFXkzXtZEG2lk9yRp4SkTtrfKHWSOxcgPsP9
FYjf6o1f/JiG0gRuVIaMZleFbFccfnCUcOmj03yUyxJokZLm5fXBeBZw73kcIMxV
4tiLSGS7tO936HG8JV0FnW9NKYy1eqfiEi34An/z3mpQO7gezWVq7xyVdIj5TQF7
tZahCFy47MewIBtSbC9Z
=bbTJ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: