Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass

Related Vulnerabilities: CVE-2013-1895  

Source

Debian Bug report logs - #704030
python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass

version graph

Package: python-bcrypt; Maintainer for python-bcrypt is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-bcrypt is src:python-bcrypt (PTS, buildd, popcon).

Reported by: Neil Williams <neil@spladug.net>

Date: Wed, 27 Mar 2013 03:24:06 UTC

Severity: grave

Tags: patch, security

Found in version python-bcrypt/0.1-1

Fixed in versions 0.1-1+rm, python-bcrypt/0.4-1

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Wed, 27 Mar 2013 03:24:10 GMT) (full text, mbox, link).

Acknowledgement sent to Neil Williams <neil@spladug.net>:
New Bug report received and forwarded. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Wed, 27 Mar 2013 03:24:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <neil@spladug.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-bcrypt: Upstream has released a security update.
Date: Tue, 26 Mar 2013 19:37:44 -0700
Package: python-bcrypt
Version: 0.1-1
Severity: important
Tags: security

Dear Maintainer,

Upstream has released an update (v0.3) which fixes a security issue, please see:

https://code.google.com/p/py-bcrypt/source/detail?r=3bc365ff43736d26ff37e9f2a4084f37b381b569

Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 27 Mar 2013 05:27:07 GMT) (full text, mbox, link).

Changed Bug title to 'python-bcrypt: CVE-2013-1895: concurrency issue leading to auth bypass' from 'python-bcrypt: Upstream has released a security update.' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 27 Mar 2013 05:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Wed, 27 Mar 2013 12:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Wed, 27 Mar 2013 12:30:04 GMT) (full text, mbox, link).

Message #14 received at 704030@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Neil Williams <neil@spladug.net>, 704030@bugs.debian.org, control@bugs.debian.org
Subject: Re: python-bcrypt: Upstream has released a security update.
Date: Wed, 27 Mar 2013 13:27:31 +0100
[Message part 1 (text/plain, inline)]
tags 704030 patch
thanks

Hi,

I created a patch from the upstream, see attached.

Cheers,

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[python-bcrypt-CVE-2013-1895.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Wed, 27 Mar 2013 12:30:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Wed, 27 Mar 2013 13:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Wed, 27 Mar 2013 13:15:04 GMT) (full text, mbox, link).

Message #21 received at 704030@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Neil Williams <neil@spladug.net>, 704030@bugs.debian.org
Subject: Re: python-bcrypt: Upstream has released a security update.
Date: Wed, 27 Mar 2013 14:10:30 +0100
[Message part 1 (text/plain, inline)]
I have prepared an NMU with the attached debdiff. I'd be happy to upload 
if the maintainer agrees.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[python-bcrypt_0.1-1.1.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Thu, 28 Mar 2013 15:15:11 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Thu, 28 Mar 2013 15:15:11 GMT) (full text, mbox, link).

Message #26 received at 704030@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Neil Williams <neil@spladug.net>
Cc: 704030@bugs.debian.org
Subject: Re: python-bcrypt: Upstream has released a security update.
Date: Thu, 28 Mar 2013 16:12:55 +0100
Hi,

after talking with the release team, the package has now been requested 
to be removed, see [1].

Adrian

> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704126

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Thu, 28 Mar 2013 15:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Kevin Coyner <kevin@rustybear.com>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Thu, 28 Mar 2013 15:51:07 GMT) (full text, mbox, link).

Message #31 received at 704030@bugs.debian.org (full text, mbox, reply):

From: Kevin Coyner <kevin@rustybear.com>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 704030@bugs.debian.org
Cc: Neil Williams <neil@spladug.net>
Subject: Re: Bug#704030: python-bcrypt: Upstream has released a security update.
Date: Thu, 28 Mar 2013 11:45:57 -0400
[Message part 1 (text/plain, inline)]
Adrian

Many thanks for your work in creating the patch. However, it seems to be
built against version 0.2. The version in the Debian repositories is 0.1-1,
so your patch cannot be directly applied.

I'll work on bringing the package up to date to version 0.2, and then will
apply your patch.

Thank you for your work.

Kevin


On Wed, Mar 27, 2013 at 9:10 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:

> I have prepared an NMU with the attached debdiff. I'd be happy to upload
> if the maintainer agrees.
>
>
> Adrian
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaubitz@debian.org
> `. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
>   `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
>



-- 
Kevin Coyner  GnuPG key: 2048R/C85D8F71  http://rustybear.com/publickey.html

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Thu, 28 Mar 2013 15:54:07 GMT) (full text, mbox, link).

Acknowledgement sent to Kevin Coyner <kevin@rustybear.com>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Thu, 28 Mar 2013 15:54:07 GMT) (full text, mbox, link).

Message #36 received at 704030@bugs.debian.org (full text, mbox, reply):

From: Kevin Coyner <kevin@rustybear.com>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 704030@bugs.debian.org
Cc: Neil Williams <neil@spladug.net>
Subject: Re: Bug#704030: python-bcrypt: Upstream has released a security update.
Date: Thu, 28 Mar 2013 11:51:03 -0400
[Message part 1 (text/plain, inline)]
Just saw this and would have to concur. The package has a very small
following and can be removed.

Kevin



On Thu, Mar 28, 2013 at 11:12 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:

> Hi,
>
> after talking with the release team, the package has now been requested to
> be removed, see [1].
>
> Adrian
>
> > [1] http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=704126<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704126>
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaubitz@debian.org
> `. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
>   `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
>



-- 
Kevin Coyner  GnuPG key: 2048R/C85D8F71  http://rustybear.com/publickey.html

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Thu, 28 Mar 2013 15:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Thu, 28 Mar 2013 15:57:05 GMT) (full text, mbox, link).

Message #41 received at 704030@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Kevin Coyner <kevin@rustybear.com>
Cc: 704030@bugs.debian.org, Neil Williams <neil@spladug.net>
Subject: Re: Bug#704030: python-bcrypt: Upstream has released a security update.
Date: Thu, 28 Mar 2013 16:52:37 +0100
On 03/28/2013 04:51 PM, Kevin Coyner wrote:
> Just saw this and would have to concur. The package has a very small
> following and can be removed.

It can probably be replaced with python-passlib, can't it?

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Thu, 28 Mar 2013 15:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Kevin Coyner <kevin@rustybear.com>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Thu, 28 Mar 2013 15:57:07 GMT) (full text, mbox, link).

Message #46 received at 704030@bugs.debian.org (full text, mbox, reply):

From: Kevin Coyner <kevin@rustybear.com>
To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: 704030@bugs.debian.org, Neil Williams <neil@spladug.net>
Subject: Re: Bug#704030: python-bcrypt: Upstream has released a security update.
Date: Thu, 28 Mar 2013 11:55:27 -0400
[Message part 1 (text/plain, inline)]
On Thu, Mar 28, 2013 at 11:52 AM, John Paul Adrian Glaubitz <
glaubitz@physik.fu-berlin.de> wrote:

> On 03/28/2013 04:51 PM, Kevin Coyner wrote:
>
>> Just saw this and would have to concur. The package has a very small
>> following and can be removed.
>>
>
> It can probably be replaced with python-passlib, can't it?



I would think so but I'd have to take to take a closer look at
python-passlib.

Kevin




> python-passlib
>
> Adrian
>
>
> --
>  .''`.  John Paul Adrian Glaubitz
> : :' :  Debian Developer - glaubitz@debian.org
> `. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
>   `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
>



-- 
Kevin Coyner  GnuPG key: 2048R/C85D8F71  http://rustybear.com/publickey.html

[Message part 2 (text/html, inline)]

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Thu, 28 Mar 2013 18:39:10 GMT) (full text, mbox, link).

Notification sent to Neil Williams <neil@spladug.net>:
Bug acknowledged by developer. (Thu, 28 Mar 2013 18:39:10 GMT) (full text, mbox, link).

Message #51 received at 704030-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 704030-done@bugs.debian.org,
Cc: python-bcrypt@packages.debian.org, python-bcrypt@packages.qa.debian.org
Subject: Bug#704126: Removed package(s) from unstable
Date: Thu, 28 Mar 2013 18:37:34 +0000
Version: 0.1-1+rm

Dear submitter,

as the package python-bcrypt has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/704126

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#704030; Package python-bcrypt. (Fri, 29 Mar 2013 17:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Frank Sievertsen <packaging@fx5.de>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (Fri, 29 Mar 2013 17:00:04 GMT) (full text, mbox, link).

Message #56 received at 704030@bugs.debian.org (full text, mbox, reply):

From: Frank Sievertsen <packaging@fx5.de>
To: 704030@bugs.debian.org
Subject: python-bcrypt
Date: Fri, 29 Mar 2013 17:49:28 +0100
As far as I know version 0.1 wasn't affected by this issue because it 
doesn't release GIL.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:37:52 GMT) (full text, mbox, link).

Bug unarchived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 02 Feb 2014 21:03:04 GMT) (full text, mbox, link).

Marked as fixed in versions python-bcrypt/0.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 02 Feb 2014 21:03:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 03 Mar 2014 07:27:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:14:31 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started