oss-sec mailing list archives
Re: CVE Request: Python keyring
From: Raphael Geissert <geissert () debian org>
Date: Tue, 30 Oct 2012 13:27:28 -0600
On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
Hello, Python keyring before 0.9.1 was using the user-supplied password insecurely. From the 0.9.1 changelog: CryptedFileKeyring now uses PBKDF2 to derive the key from the user's password and a random hash. The IV is chosen randomly as well. All the stored passwords are encrypted at once. Any keyrings using the old format will be automatically converted to the new format (but will no longer be compatible with 0.9 and earlier). The user's password is no longer limited to 32 characters. PyCrypto 2.5 or greater is now required for this keyring. See: http://pypi.python.org/pypi/keyring#id2 https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
Could a CVE id be assigned please? Thanks, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE Request: Python keyring Marc Deslauriers (Oct 05)
- Re: CVE Request: Python keyring Raphael Geissert (Oct 30)
- Re: CVE Request: Python keyring Kurt Seifried (Oct 31)
- <Possible follow-ups>
- CVE Request: Python keyring Marc Deslauriers (Nov 16)
- Re: CVE Request: Python keyring Marc Deslauriers (Nov 19)
- Re: CVE Request: Python keyring Matthias Weckbecker (Nov 22)
- Re: CVE Request: Python keyring Kurt Seifried (Nov 26)
- Re: CVE Request: Python keyring Marc Deslauriers (Nov 19)
- Re: CVE Request: Python keyring Kurt Seifried (Nov 26)
- Re: CVE Request: Python keyring Raphael Geissert (Oct 30)