CVE-2012-3458

Advisory

Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

=========================

.. warning::

Session hashing for encrypted sessions using PyCrypto has changed. This
will result in sessions being invalidated upon upgrading if PyCrypto is
used.

* Fix bug with key_length not being coerced to a int for comparison. Patch by
Greg Lavallee.
* Fix bug with cookie invalidation not clearing the cookie data. Patch by
Vasiliy Lozovoy.
* Added ability to pass in cookie_path for the Session. Patch by Marcin
Kuzminski.
* Add NSS crypto support to Beaker. Patch by Miloslav Trmac of Redhat.
* Fix security bug with pycrypto not securing data such that an attacker could
possibly determine parts of the encrypted payload. Patch by Miloslav Trmac of
Redhat. See `CVE-2012-3458 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3458>`_.
* Add ability to specify schema for database-backed sessions. Patch by Vladimir
Tananko.
* Fix issue with long key names in memcached backend. Patch by Guillaume
Taglang.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3458
• http://www.debian.org/security/2012/dsa-2541
• http://secunia.com/advisories/50520
• http://www.openwall.com/lists/oss-security/2012/08/13/10
• https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
• http://secunia.com/advisories/50226
• https://bugzilla.redhat.com/show_bug.cgi?id=809267