Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Python keyring
From: Raphael Geissert <geissert () debian org>
Date: Tue, 30 Oct 2012 13:27:28 -0600

On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
Hello,

Python keyring before 0.9.1 was using the user-supplied password
insecurely.

From the 0.9.1 changelog:

CryptedFileKeyring now uses PBKDF2 to derive the key from the user's
password and a random hash. The IV is chosen randomly as well. All the
stored passwords are encrypted at once. Any keyrings using the old
format will be automatically converted to the new format (but will no
longer be compatible with 0.9 and earlier). The user's password is no
longer limited to 32 characters. PyCrypto 2.5 or greater is now required
for this keyring.

See:

http://pypi.python.org/pypi/keyring#id2
https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845

Could a CVE id be assigned please?

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault