Beaker is a high-level Python library providing caching and sessions for use in web applications. The session implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto.
Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this flaw, thanks!
Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3a...
Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones.
Changelog for this release:
* Fix bug with key_length not being coerced to a int for comparison. Patch by
* Fix bug with cookie invalidation not clearing the cookie data. Patch by
* Added ability to pass in cookie_path for the Session. Patch by Marcin
* Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
* Fix security bug with pycrypto not securing data such that an attacker could
possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of
Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_.
* Add ability to specify schema for database-backed sessions. Patch by Vladimir
* Fix issue with long key names in memcached backend. Patch by Guillaume