Beaker is a high-level Python library providing caching and sessions for use in web applications. The session implementation comes with crypto-based cookie encryption that support PyCrypto, pycryptopp, and now NSS crypto.
Prior to this release, an attacker could possibly determine some content of cookie-based sessions encrypted with PyCrypto due to how the data was encrypted. This flaw did not affect pycryptopp sessions, nor does it allow an attacker to change data as a separate HMAC is used to sign the encrypted payload. Red Hat found and supplied a patch to fix this flaw, thanks! CVE-2012-3458 Fix in beaker: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5 Applying this update will change the hashing of sessions encrypted with PyCrypto, invalidating existing ones. Changelog for this release: * Fix bug with key_length not being coerced to a int for comparison. Patch by Greg Lavallee. * Fix bug with cookie invalidation not clearing the cookie data. Patch by Vasiliy Lozovoy. * Added ability to pass in cookie_path for the Session. Patch by Marcin Kuzminski. * Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat. * Fix security bug with pycrypto not securing data such that an attacker could possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_. * Add ability to specify schema for database-backed sessions. Patch by Vladimir Tananko. * Fix issue with long key names in memcached backend. Patch by Guillaume Taglang. Cheers, Ben -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
