Package: python-bcrypt Version: 0.4-2+b1 Severity: grave Tags: security Justification: renders package unusable
According to https://pythonhosted.org/passlib/history.html: "It will now issue a PasslibSecurityWarning if the active backend is vulnerable to the wraparound bug, and automatically enable a workaround (py-bcrypt is known to be vulnerable as of v0.4)." After running the tests, you get the following passlib warning: /«PKGBUILDDIR»/passlib/handlers/bcrypt.py:320: UserWarning: passlib.hash.bcrypt: Your installation of the 'pybcrypt' backend is vulnerable to the bsd wraparound bug, and should be upgraded or replaced with another backend (this warning will be fatal under passlib 1.7) "(this warning will be fatal under passlib 1.7)" % backend) python-bcrypt is py-bcrypt 0.4 https://pypi.python.org/pypi/py-bcrypt/0.4 The recommended library to use is bcrypt: https://pypi.python.org/pypi/bcrypt -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-bcrypt depends on: ii libc6 2.19-18 ii python 2.7.9-1 python-bcrypt recommends no packages. python-bcrypt suggests no packages. -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
