oss-sec mailing list archives
CVE-2013-1895 py-bcrypt 0.2 concurrency vulnerability (auth bypass)
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 25 Mar 2013 23:58:48 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So py-bcrypt 0.2 has a concurrency vulnerability that can lead to auth bypass. I looked at the code diff between 0.2 and 0.3, looks ok. https://pypi.python.org/pypi/py-bcrypt Please use CVE-2013-1895 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRUTkYAAoJEBYNRVNeJnmTXBcQALiB18nHUUBBxJjNJSENoEMh vlHilYbylh755S5a1hQueWkD4JXY6YSXv5mraKgKDqUMEvUlucBeC/sG66tCOEF1 pxUqRNq2P88apmsdlwpB9N44gJNghXYkttz3NjDmIryYogePZRH06l1P73IF6lt+ LHMrly3uhbXzxxZ385BGsUnMYuLxb4l7EdO3HYppZb6UV9kAEbr2sGh6sipMig4O o3LgvdIDPF8GkjEODS9EwpemE1kC1ce8Q7QmbpUWskGdPuRRM1Z/gy2MNLcqA+Cq bu/ivdV73dZjMyCHIWo760xYCesdxGy9WLJXBCeGn6POK+7xgky5VphL9QS2CdeV NVp83MdQYJrEThSiZn0Ckhhf3zEI8Elv3BRUcsof7DpiLAuoautz3QMgM8u7VSu/ yiyRe34+0FyG4VDV60zYyaVY7JH7rlJD9uS1ozJYyeZqtGR1zb4IsidtSx/xxkek 50YFG+vvY6sX1Je58uzogO8qvgUZRFXkzXtZEG2lk9yRp4SkTtrfKHWSOxcgPsP9 FYjf6o1f/JiG0gRuVIaMZleFbFccfnCUcOmj03yUyxJokZLm5fXBeBZw73kcIMxV 4tiLSGS7tO936HG8JV0FnW9NKYy1eqfiEi34An/z3mpQO7gezWVq7xyVdIj5TQF7 tZahCFy47MewIBtSbC9Z =bbTJ -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-1895 py-bcrypt 0.2 concurrency vulnerability (auth bypass) Kurt Seifried (Mar 25)