Debian Bug report logs -
#704030
python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass
Reported by: Neil Williams <neil@spladug.net>
Date: Wed, 27 Mar 2013 03:24:06 UTC
Severity: grave
Tags: patch, security
Found in version python-bcrypt/0.1-1
Fixed in versions 0.1-1+rm, python-bcrypt/0.4-1
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Wed, 27 Mar 2013 03:24:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <neil@spladug.net>
:
New Bug report received and forwarded. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Wed, 27 Mar 2013 03:24:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-bcrypt
Version: 0.1-1
Severity: important
Tags: security
Dear Maintainer,
Upstream has released an update (v0.3) which fixes a security issue, please see:
https://code.google.com/p/py-bcrypt/source/detail?r=3bc365ff43736d26ff37e9f2a4084f37b381b569
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 27 Mar 2013 05:27:07 GMT) (full text, mbox, link).
Changed Bug title to 'python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass' from 'python-bcrypt: Upstream has released a security update.'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 27 Mar 2013 05:27:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Wed, 27 Mar 2013 12:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Wed, 27 Mar 2013 12:30:04 GMT) (full text, mbox, link).
Message #14 received at 704030@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 704030 patch
thanks
Hi,
I created a patch from the upstream, see attached.
Cheers,
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
[python-bcrypt-CVE-2013-1895.patch (text/x-patch, attachment)]
Added tag(s) patch.
Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
to control@bugs.debian.org
.
(Wed, 27 Mar 2013 12:30:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Wed, 27 Mar 2013 13:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Wed, 27 Mar 2013 13:15:04 GMT) (full text, mbox, link).
Message #21 received at 704030@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I have prepared an NMU with the attached debdiff. I'd be happy to upload
if the maintainer agrees.
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
[python-bcrypt_0.1-1.1.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Thu, 28 Mar 2013 15:15:11 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Thu, 28 Mar 2013 15:15:11 GMT) (full text, mbox, link).
Message #26 received at 704030@bugs.debian.org (full text, mbox, reply):
Hi,
after talking with the release team, the package has now been requested
to be removed, see [1].
Adrian
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704126
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Thu, 28 Mar 2013 15:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Kevin Coyner <kevin@rustybear.com>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Thu, 28 Mar 2013 15:51:07 GMT) (full text, mbox, link).
Message #31 received at 704030@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Adrian
Many thanks for your work in creating the patch. However, it seems to be
built against version 0.2. The version in the Debian repositories is 0.1-1,
so your patch cannot be directly applied.
I'll work on bringing the package up to date to version 0.2, and then will
apply your patch.
Thank you for your work.
Kevin
On Wed, Mar 27, 2013 at 9:10 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:
> I have prepared an NMU with the attached debdiff. I'd be happy to upload
> if the maintainer agrees.
>
>
> Adrian
>
> --
> .''`. John Paul Adrian Glaubitz
> : :' : Debian Developer - glaubitz@debian.org
> `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
> `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>
--
Kevin Coyner GnuPG key: 2048R/C85D8F71 http://rustybear.com/publickey.html
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Thu, 28 Mar 2013 15:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Kevin Coyner <kevin@rustybear.com>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Thu, 28 Mar 2013 15:54:07 GMT) (full text, mbox, link).
Message #36 received at 704030@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Just saw this and would have to concur. The package has a very small
following and can be removed.
Kevin
On Thu, Mar 28, 2013 at 11:12 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:
> Hi,
>
> after talking with the release team, the package has now been requested to
> be removed, see [1].
>
> Adrian
>
> > [1] http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=704126<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704126>
>
> --
> .''`. John Paul Adrian Glaubitz
> : :' : Debian Developer - glaubitz@debian.org
> `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
> `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>
--
Kevin Coyner GnuPG key: 2048R/C85D8F71 http://rustybear.com/publickey.html
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Thu, 28 Mar 2013 15:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Thu, 28 Mar 2013 15:57:05 GMT) (full text, mbox, link).
Message #41 received at 704030@bugs.debian.org (full text, mbox, reply):
On 03/28/2013 04:51 PM, Kevin Coyner wrote:
> Just saw this and would have to concur. The package has a very small
> following and can be removed.
It can probably be replaced with python-passlib, can't it?
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Thu, 28 Mar 2013 15:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Kevin Coyner <kevin@rustybear.com>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Thu, 28 Mar 2013 15:57:07 GMT) (full text, mbox, link).
Message #46 received at 704030@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, Mar 28, 2013 at 11:52 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:
> On 03/28/2013 04:51 PM, Kevin Coyner wrote:
>
>> Just saw this and would have to concur. The package has a very small
>> following and can be removed.
>>
>
> It can probably be replaced with python-passlib, can't it?
I would think so but I'd have to take to take a closer look at
python-passlib.
Kevin
> python-passlib
>
> Adrian
>
>
> --
> .''`. John Paul Adrian Glaubitz
> : :' : Debian Developer - glaubitz@debian.org
> `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
> `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>
--
Kevin Coyner GnuPG key: 2048R/C85D8F71 http://rustybear.com/publickey.html
[Message part 2 (text/html, inline)]
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Thu, 28 Mar 2013 18:39:10 GMT) (full text, mbox, link).
Notification sent
to Neil Williams <neil@spladug.net>
:
Bug acknowledged by developer.
(Thu, 28 Mar 2013 18:39:10 GMT) (full text, mbox, link).
Message #51 received at 704030-done@bugs.debian.org (full text, mbox, reply):
Version: 0.1-1+rm
Dear submitter,
as the package python-bcrypt has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/704126
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.
Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)
Information forwarded
to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>
:
Bug#704030
; Package python-bcrypt
.
(Fri, 29 Mar 2013 17:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Sievertsen <packaging@fx5.de>
:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>
.
(Fri, 29 Mar 2013 17:00:04 GMT) (full text, mbox, link).
Message #56 received at 704030@bugs.debian.org (full text, mbox, reply):
As far as I know version 0.1 wasn't affected by this issue because it
doesn't release GIL.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 05 May 2013 07:37:52 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 02 Feb 2014 21:03:04 GMT) (full text, mbox, link).
Marked as fixed in versions python-bcrypt/0.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 02 Feb 2014 21:03:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 03 Mar 2014 07:27:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:14:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.