Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <F640638B-5C30-484C-9D62-C0771569151F@groovie.org>
Date: Mon, 13 Aug 2012 15:26:43 -0700
From: Ben Bangert <ben@...ovie.org>
To: pylons-discuss@...glegroups.com
Cc: pylons-devel@...glegroups.com,
 oss-security@...ts.openwall.com
Subject: ANN: Beaker 1.6.4 released with important security update

Beaker is a high-level Python library providing caching and sessions for use in web applications. The session implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto.

Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this flaw, thanks!

CVE-2012-3458
Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5

Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones.

Changelog for this release:

* Fix bug with key_length not being coerced to a int for comparison. Patch by
  Greg Lavallee.
* Fix bug with cookie invalidation not clearing the cookie data. Patch by
  Vasiliy Lozovoy.
* Added ability to pass in cookie_path for the Session. Patch by Marcin
  Kuzminski.
* Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
* Fix security bug with pycrypto not securing data such that an attacker could
  possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of
  Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_.
* Add ability to specify schema for database-backed sessions. Patch by Vladimir
  Tananko.
* Fix issue with long key names in memcached backend. Patch by Guillaume
  Taglang.


Cheers,
Ben

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.