Debian Bug report logs -
#882012
python-pysaml2: CVE-2017-1000246: Reuse of AES initialization vector in AESCipher / UsernamePasswordMako / Server
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 17 Nov 2017 16:03:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions python-pysaml2/4.5.0-1, python-pysaml2/3.0.0-5, python-pysaml2/2.0.0-1
Fixed in version python-pysaml2/4.5.0-4
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/rohe/pysaml2/issues/417
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#882012; Package src:python-pysaml2.
(Fri, 17 Nov 2017 16:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 17 Nov 2017 16:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Version: 3.0.0-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/rohe/pysaml2/issues/417
Hi,
the following vulnerability was published for python-pysaml2.
CVE-2017-1000246[0]:
| Python package pysaml2 version 4.4.0 and earlier reuses the
| initialization vector across encryptions in the IDP server, resulting
| in weak encryption of data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000246
[1] https://github.com/rohe/pysaml2/issues/417
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions python-pysaml2/2.0.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 17 Nov 2017 16:06:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 02 Aug 2018 17:24:10 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 20 Aug 2018 15:54:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 20 Aug 2018 15:54:17 GMT) (full text, mbox, link).
Message #14 received at 882012-close@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Source-Version: 4.5.0-1
We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Aug 2018 16:47:23 +0200
Source: python-pysaml2
Binary: python-pysaml2 python-pysaml2-doc python3-pysaml2
Architecture: source all
Version: 4.5.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
python3-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 3.x
Closes: 857848 859135 882012 886423
Changes:
python-pysaml2 (4.5.0-1) experimental; urgency=medium
.
[ Ondřej Nový ]
* d/control: Use team+openstack@tracker.debian.org as maintainer
.
[ Thomas Goirand ]
* New upstream release. (Closes: #857848, #882012, #886423, #859135).
* Refreshed/rebased all patches.
* Added python{3,}-defusedxml as (build-)depends.
* Add python{3,}-future as (buid-)depends.
Checksums-Sha1:
38649a71bf118dbfe74a6825863346a9b214ce9b 2898 python-pysaml2_4.5.0-1.dsc
37d0cb194b322f858836282130ddea2e7fd352de 2694552 python-pysaml2_4.5.0.orig.tar.xz
b2bafa6ca0ad6a4a9c0087ce1281be0f905aa5f3 9416 python-pysaml2_4.5.0-1.debian.tar.xz
0c60953fc8be4caa8bee761141ba3c8c541a134c 47768 python-pysaml2-doc_4.5.0-1_all.deb
74dfafdcc4d2cf57668d5b1d37b3cdf60425424e 201040 python-pysaml2_4.5.0-1_all.deb
f834baec9801a125bbe984086454e88d1d5ae190 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
a49e103fb1e58409e612884b765b9b3f84f88706 201140 python3-pysaml2_4.5.0-1_all.deb
Checksums-Sha256:
b5645fdf88ec7d889409a6304eeeed5969835fac219ee1936368b143c69b55dc 2898 python-pysaml2_4.5.0-1.dsc
3e1a807fc82998883d8648624fabcda57a446a198e297c36a14e7969c4c2ddc1 2694552 python-pysaml2_4.5.0.orig.tar.xz
986b06d3b8df37dde68cb52eb4945fedde5b34c3c4138bc38fe0f106f3b686a0 9416 python-pysaml2_4.5.0-1.debian.tar.xz
694199b6f72128d095849b1fbc7d49ec43908ccbefa2ffd0bda7b052e1a42067 47768 python-pysaml2-doc_4.5.0-1_all.deb
c893411710c41a7ea0692093423cbabd1c51e4d1a8408c3af479b79834e9b95b 201040 python-pysaml2_4.5.0-1_all.deb
ad747746ca6f97f0fde306543f7ec6c511df11a6711f24e0a246a86782c6ea24 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
8841ab76326105c20272c0e1fe62216c50b4069782d228996e239e987cca369e 201140 python3-pysaml2_4.5.0-1_all.deb
Files:
2a79d3b41d341526a2e80c0bd36efff4 2898 python optional python-pysaml2_4.5.0-1.dsc
87b88150b7507cce0d39c138aa09a31f 2694552 python optional python-pysaml2_4.5.0.orig.tar.xz
016cdf9f9699fd5248f445f7e9602ed4 9416 python optional python-pysaml2_4.5.0-1.debian.tar.xz
9568f9111e77ca2f22d90c0f04e88549 47768 doc optional python-pysaml2-doc_4.5.0-1_all.deb
4ef48b739d054b23f4b44778c9bd260e 201040 python optional python-pysaml2_4.5.0-1_all.deb
76b614f7695fcf731bf366e6c019ce51 12114 python optional python-pysaml2_4.5.0-1_amd64.buildinfo
86c95965f7e1bcd50f6e536553805ef4 201140 python optional python3-pysaml2_4.5.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlt623wACgkQq1PlA1ho
d6b5pA/9Gg5kUchWQlEqOljKs9moH1VexDjtwE2Zeq3Pz/IXSukD9OU165COTv8H
HfoL3ywpskT+IiurHWyijT5Yk3o017t8wuVnZ6hwEh6Gs+/Wa269162KegcwEXow
LUXhsmP0fDfIhe2zLg5uMZMR+9Nz6xYKKD/aPMhtGi1SIT+n4xwZKmhIgUDAIU6G
zkfoNam+5nUQnuTxIU3THqtGSuXTLtEJk6QoQgUckaD8myT3KQN+5XLFWog8MaAK
RKF6sE+am1taeZhqJJyUyxaJC4yL4kyBI4zOFC/hI4rGSay6Pzup7bdZ0L8XWimy
KD1VK67VMFR2cVDc1Js3QI9LLhcySzOtVTQFGv1xp5YC0xDweoIxwmtY46eGZH/P
3dWht0dGvqYZ0omQ80hY3ZcDpNq3AiZRUVOUEWGU4C5USrhxiy+P5upH6c3CIDMg
9P45s+oz5cZZs5/BFyGFEjLxKWgMeduqtVYZF6g8rhRARyfFRjaiafugnr+J9sFV
OAAoy7eEjIeVwm3P2S2PmlIifFsfQ3A0RLmrCe62coYZblufMoynZ473cz7mz5G7
KbFbftZ+AqDH/9bXP2MxpZNHaAVkMdFWChTKPwrR/UaNE/zYgsQYYl12fp01IF42
avFxlUlHbVsmTPh/ZWkCbyyjveFyAm/YuEZbpLkc2to4OayxZA4=
=JhFR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#882012; Package src:python-pysaml2.
(Thu, 23 Aug 2018 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 23 Aug 2018 18:51:03 GMT) (full text, mbox, link).
Message #19 received at 882012@bugs.debian.org (full text, mbox, reply):
Control: found -1 4.5.0-1
Not fixed yet in 4.5.0, but in 4.6.0 upstream.
Regards,
Salvatore
Marked as found in versions python-pysaml2/4.5.0-1; no longer marked as fixed in versions python-pysaml2/4.5.0-1 and reopened.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 882012-submit@bugs.debian.org.
(Thu, 23 Aug 2018 18:51:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#882012.
(Fri, 07 Sep 2018 10:03:18 GMT) (full text, mbox, link).
Message #24 received at 882012-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #882012 in python-pysaml2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/python/python-pysaml2/commit/dd06fd6e2ea365b0fd1438cb88c0364af295fbe4
------------------------------------------------------------------------
* CVE-2017-1000246: Reuse of AES initialization vector in AESCipher /
UsernamePasswordMako / Server. Backported upstream patch:
CVE-2017-1000246_Always_generate_a_random_IV_for_AES_operations.patch
(Closes: #882012).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/882012
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 882012-submitter@bugs.debian.org.
(Fri, 07 Sep 2018 10:03:18 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Fri, 07 Sep 2018 10:24:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Sep 2018 10:24:05 GMT) (full text, mbox, link).
Message #31 received at 882012-close@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Source-Version: 4.5.0-4
We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Sep 2018 11:54:53 +0200
Source: python-pysaml2
Binary: python-pysaml2 python-pysaml2-doc python3-pysaml2
Architecture: source all
Version: 4.5.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
python3-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 3.x
Closes: 882012
Changes:
python-pysaml2 (4.5.0-4) unstable; urgency=medium
.
* CVE-2017-1000246: Reuse of AES initialization vector in AESCipher /
UsernamePasswordMako / Server. Backported upstream patch:
CVE-2017-1000246_Always_generate_a_random_IV_for_AES_operations.patch
(Closes: #882012).
Checksums-Sha1:
b1541aca2ade2729302c95be5a257859ee22727f 2901 python-pysaml2_4.5.0-4.dsc
173e25680979ccafe072b41524e8cffe64a0afd1 10980 python-pysaml2_4.5.0-4.debian.tar.xz
7e511ecb97b54c30687d2a8e73495f44d554c195 47948 python-pysaml2-doc_4.5.0-4_all.deb
97b4e3518f7d2544ec4c970cd069431e895c3ff5 201208 python-pysaml2_4.5.0-4_all.deb
6e94ff33d3754cade2a8469e03668858b41eca71 10857 python-pysaml2_4.5.0-4_amd64.buildinfo
ffd80aae8cda7995dea34ec0b6bbca58df00b228 201244 python3-pysaml2_4.5.0-4_all.deb
Checksums-Sha256:
fad974ea1bbc319634fd77f2ff688244b13ef446e786cf0d29a4cb9547807cd3 2901 python-pysaml2_4.5.0-4.dsc
bbc5e50dda6693bcc95dab404b5d35677e5e321e4f9ae34c46bae667be9dd075 10980 python-pysaml2_4.5.0-4.debian.tar.xz
a32b7bb8e2003f8bddf260d0d5be7a6c77995d3a467259dde67055aa0b6ebcd4 47948 python-pysaml2-doc_4.5.0-4_all.deb
2fe4ddc9618f5570843d9525470d1777ddd31080657b84134a58fe22565caba4 201208 python-pysaml2_4.5.0-4_all.deb
40c8034e13275add8d7229afda8e316a13b2d6a8d7bce3d93e86840d3616441d 10857 python-pysaml2_4.5.0-4_amd64.buildinfo
643b028b43c65994a09a352ae5d527c81517f9dca3aa18573757f891da276554 201244 python3-pysaml2_4.5.0-4_all.deb
Files:
cb683a28ea7b8e336de640616decb089 2901 python optional python-pysaml2_4.5.0-4.dsc
a47edbd9d8113eb82c4993fa131ef5d7 10980 python optional python-pysaml2_4.5.0-4.debian.tar.xz
1f3fb1099f39b715e11f1c4d999cf563 47948 doc optional python-pysaml2-doc_4.5.0-4_all.deb
f4e4800398e89501b685ccae8058e6c0 201208 python optional python-pysaml2_4.5.0-4_all.deb
684f72525ddbe6c042c7eb5eb06f9a8b 10857 python optional python-pysaml2_4.5.0-4_amd64.buildinfo
5b90987286630dd70b2b54590ec866a3 201244 python optional python3-pysaml2_4.5.0-4_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAluSS7cACgkQq1PlA1ho
d6YieA/9GvK/e7NHkIB3eHQ63sVoZhV9rKFVN7OY4IGq6aYrylm7HucPjX5YgHY3
u7TNNs/3sEOgRGPveA2irmzkEXPNh/emdVIzCgZKE+X5tx+cNINXQ43bDzc+epoF
uay8OnsUYMjFwIfmsXhiCy2uo51TpP95+Tqu7W54OFzqnhjGVf5ulxvAVFjPVtr2
Q5A9MtwrNF8MI591Tfx3o95vJ4QB/wsBVuJoG7BauptEkCQB2SPrzKWTpmwCDFjl
wT3LNsjKosP481PyTQRmPJCqy60wLnx9N6YTII7DzQc3FDCzjcnN5C6xsV6ramjs
BNiHrA+dnfjj4SLKiA5MYcIGAp1hCxEy7An8NK4uysbLfRkLeTMgL++b7b0mV41G
gU5Qg+6afgR4PVvLrSygm6eaL0txlEY9E2vaEWTmcRku4nlsXmzaXgQTjULuCzO5
aS/1+T24MTrsynQUrc3QMp3EUrY6PKv6C1LhXI3yN0p3zrAylWW8HJ4+64CVgaEj
u/xEAJ9Oek6jH/62FyzWkHPpHy+C3fd1mREjJjYgvggX9yo+ekpa6R8GHu2dr/Od
Djar+VTbN3242A8tEi3Dk4kN5OngtbktfI6clGAAVWsRAcA2MlNe3FvB5eeeO599
I6T6ZE15LT7t9ImI0lAaoLlZ67wPOxQVjbOHwyy5CMgwFceoiMw=
=kS8K
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 10 Oct 2018 07:26:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:06:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon