Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
pylons-devel
Home
+ new post
About this group
Join this group
ANN: Beaker 1.6.4 released with important security update
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Ben Bangert  
View profile  
 More options Aug 13 2012, 6:26 pm
From: Ben Bangert <b...@groovie.org>
Date: Mon, 13 Aug 2012 15:26:43 -0700
Local: Mon, Aug 13 2012 6:26 pm
Subject: ANN: Beaker 1.6.4 released with important security update
Print | Individual message | Show original | Report this message | Find messages by this author
Beaker is a high-level Python library providing caching and sessions for use in web applications. The session implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto.

Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this flaw, thanks!

CVE-2012-3458
Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3a...

Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones.

Changelog for this release:

* Fix bug with key_length not being coerced to a int for comparison. Patch by
  Greg Lavallee.
* Fix bug with cookie invalidation not clearing the cookie data. Patch by
  Vasiliy Lozovoy.
* Added ability to pass in cookie_path for the Session. Patch by Marcin
  Kuzminski.
* Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
* Fix security bug with pycrypto not securing data such that an attacker could
  possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of
  Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_.
* Add ability to specify schema for database-backed sessions. Patch by Vladimir
  Tananko.
* Fix issue with long key names in memcached backend. Patch by Guillaume
  Taglang.

Cheers,
Ben


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google