Package: pyrad Version: 2.0-1 Severity: grave Tags: security Control: found -1 1.2-1
Hi, the following vulnerabilities were published for pyrad. CVE-2013-0294[0]: potentially predictable password hashing CVE-2013-0295[1]: CreateID() creates serialized packet IDs for RADIUS Note: it's currently under discussion if there should only be assigned one CVE for this issue. A patch is available at [2] using random.SystemRandom() for to use cryptographic-safe random generator instead of random. I have choosen severity grave because of this reasoning: CVE-2013-0294: [...] In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed. (from Red Hat bugreports) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0294 [1] http://security-tracker.debian.org/tracker/CVE-2013-0295 [2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
