Debian Bug report logs - #684890
CVE-2012-3458: Information disclosure

version graph

Package: beaker; Maintainer for beaker is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 14 Aug 2012 13:00:01 UTC

Severity: grave

Tags: security

Fixed in versions beaker/1.6.3-1.1, beaker/1.5.4-4+squeeze1

Done: David Prévot <taffit@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#684890; Package beaker. (Tue, 14 Aug 2012 13:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Tue, 14 Aug 2012 13:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-3458: Information disclosure
Date: Tue, 14 Aug 2012 14:54:22 +0200
Package: beaker
Severity: grave
Tags: security
Justification: user security hole

Please see https://groups.google.com/forum/?fromgroups#!topic/pylons-devel/zOx8OhIDru4[1-25]

Remember we're in freeze, so please fix this in sid through the isolated fix instead of
updating to 1.6.4.

Cheers,
        Moritz



Added tag(s) pending. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Fri, 24 Aug 2012 18:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#684890; Package beaker. (Fri, 24 Aug 2012 21:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Prévot <david@tilapin.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Fri, 24 Aug 2012 21:09:03 GMT) Full text and rfc822 format available.

Message #12 received at 684890@bugs.debian.org (full text, mbox):

From: David Prévot <david@tilapin.org>
To: 684890@bugs.debian.org
Subject: Uploaded beaker to DELAYED/2
Date: Fri, 24 Aug 2012 17:04:07 -0400
[Message part 1 (text/plain, inline)]
Dear maintainer of beaker,

I've prepared an NMU for beaker (versioned as 1.6.3-1.1) uploaded it to
DELAYED/2. Please feel free to tell me if I should delay it longer.

I've also prepared a package for squeeze-security [0] and will follow up
via RT.

	0: http://people.debian.org/~taffit/beaker/

Regards

David


[beaker.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Sun, 26 Aug 2012 21:21:08 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 26 Aug 2012 21:21:08 GMT) Full text and rfc822 format available.

Message #17 received at 684890-close@bugs.debian.org (full text, mbox):

From: David Prévot <taffit@debian.org>
To: 684890-close@bugs.debian.org
Subject: Bug#684890: fixed in beaker 1.6.3-1.1
Date: Sun, 26 Aug 2012 21:17:40 +0000
Source: beaker
Source-Version: 1.6.3-1.1

We believe that the bug you reported is fixed in the latest version of
beaker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated beaker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 Aug 2012 13:54:13 -0400
Source: beaker
Binary: python-beaker python3-beaker
Architecture: source all
Version: 1.6.3-1.1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description: 
 python-beaker - cache and session library
 python3-beaker - cache and session library for Python 3
Closes: 684890
Changes: 
 beaker (1.6.3-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix security issue, with PyCrypto not securing data such that an attacker
     could possibly determine parts of the encrypted payload. Patch by Miloslav
     Trmac of Redhat. [CVE-2012-3458] Closes: #684890
Checksums-Sha1: 
 8b0677f6ad94dedf710cc983fbc75268bc355d05 2159 beaker_1.6.3-1.1.dsc
 86988a46e5861e4d2feeaaa9c70d139b88341d36 6234 beaker_1.6.3-1.1.debian.tar.gz
 fd7c260dcc99b8be472a0455817bba2db5bc9804 46534 python-beaker_1.6.3-1.1_all.deb
 6ef596c3414aa9b11f0b33ede5fe51edb8ad4d47 45308 python3-beaker_1.6.3-1.1_all.deb
Checksums-Sha256: 
 117bc71cb29b982cc5bbaa6c99282e3c377482877e262dabe54499af604e76a1 2159 beaker_1.6.3-1.1.dsc
 0ba69f59dc65a1edd11f218f51393968c78e545a672f9f8a90d344fb3ee43251 6234 beaker_1.6.3-1.1.debian.tar.gz
 65207dc156f9edf26820a5f03a340c5d4ccf3bfe7c39b9ecec6c9269571f8d97 46534 python-beaker_1.6.3-1.1_all.deb
 aee2444b3a1403e893889c4183311214dbaf166ac063d073195ea13694f5bdf0 45308 python3-beaker_1.6.3-1.1_all.deb
Files: 
 ed1aa4272e799c11dba30daacd6fdfac 2159 python optional beaker_1.6.3-1.1.dsc
 4c60dc77af3cf95992c1b3bf5f77523d 6234 python optional beaker_1.6.3-1.1.debian.tar.gz
 53a451af701b6dd8e32455acf6cf7f08 46534 python optional python-beaker_1.6.3-1.1_all.deb
 514130c701b3b292ea8196874cd13f03 45308 python optional python3-beaker_1.6.3-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQN8TtAAoJELgqIXr9/gny4tIQAK8DNvkWv4UX20sJJ7q+UUFX
mY+xn9w+B5B1qo/k98GwasZ00C4PNVgPqYk18ucQVPr6fDMYbFousDoGRBtlUOD9
ZBM/zH3Vj8mX5xh9zjNbZYkEyp29LNJTUZtOih+W4ACZ98U+CVcUhBy0ja2Zb4qg
DKHiBAomKaMQagnQTwLWRq8PcA2cqSsXv1vbqX/bLnrlhVwVDbC0IZVEHUjeBfLo
IVHs+tVgVytz3rJOH2IHsPInWwxrv5K7WlOmy7XbBOuctWh48kt1hdDQNWBnmvJj
yCRIkqnRjL0yYYSFltF6z8QSdbKKMF6SPb9PTTSDZ7ir1MMO2G11GZ5vvMPzpMXJ
JDdk+AgoYvJ8j9MqvV67gOB1yLx8RSYPsKnkkf3WUhnmLkVaoKi6Y4usyBYSOiyA
T7M8RHwLEwtcB7c4MbT2lJ335sl7RsB+4ZeDFb2Bef1ZDoLrkHPaSN7xDBQV6GD9
iorPOO/M1nQ/sQY4G2TZLGkzi7O8B2L6gf6iuEGR+JEw7b7fUpQzrUHwpY0L0snz
c4A9dRpeTN26bORhnKw7Gz9043hNb8Z2hWk7Pp8FLWNNm7+OrivaEQSaiMdhq5as
nvYi2BjTNc/DLjgDbLWAzm1TNsAmAuMRTazgSiAN1C3ph2BDmK2qVLdbL2zLoJtv
Vgi6YPEadu78o6gTDp8d
=uuNK
-----END PGP SIGNATURE-----




Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Sat, 08 Sep 2012 13:21:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 08 Sep 2012 13:21:05 GMT) Full text and rfc822 format available.

Message #22 received at 684890-close@bugs.debian.org (full text, mbox):

From: David Prévot <taffit@debian.org>
To: 684890-close@bugs.debian.org
Subject: Bug#684890: fixed in beaker 1.5.4-4+squeeze1
Date: Sat, 08 Sep 2012 13:17:05 +0000
Source: beaker
Source-Version: 1.5.4-4+squeeze1

We believe that the bug you reported is fixed in the latest version of
beaker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Prévot <taffit@debian.org> (supplier of updated beaker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 07 Sep 2012 13:40:57 -0400
Source: beaker
Binary: python-beaker python3-beaker
Architecture: source all
Version: 1.5.4-4+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Description: 
 python-beaker - cache and session library
 python3-beaker - cache and session library for Python 3
Closes: 684890
Changes: 
 beaker (1.5.4-4+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix security issue, with PyCrypto not securing data such that an attacker
     could possibly determine parts of the encrypted payload. Patch by Miloslav
     Trmac of Redhat. [CVE-2012-3458] Closes: #684890
Checksums-Sha1: 
 4a78eeaf30901e283b30a7d40344528b9de7ac1a 2122 beaker_1.5.4-4+squeeze1.dsc
 72a696854e36e2ea92f4535209e4538baf06caa0 46238 beaker_1.5.4.orig.tar.gz
 21372e8ad8f754d7364e44afa3e83149e6ed7305 5767 beaker_1.5.4-4+squeeze1.diff.gz
 493543c9528ead0e4fbb36b2402efeb783db7a3c 33304 python-beaker_1.5.4-4+squeeze1_all.deb
 2c2bd7488f25e0fbe46f0efa7cf99d85885418a6 33284 python3-beaker_1.5.4-4+squeeze1_all.deb
Checksums-Sha256: 
 ffadd14ed5e91b61142d5ae6c626b9ccac6251384833b6c5874d1c548e99d5da 2122 beaker_1.5.4-4+squeeze1.dsc
 a13dc6ae0e9490c85fc2c1ba035ea5b21cd684ee3b4b70b6a9e473f0550a716b 46238 beaker_1.5.4.orig.tar.gz
 43c9d79047aac323f296b5e41e7c266b53c01c236c96cd2fe10abbf0b3289a42 5767 beaker_1.5.4-4+squeeze1.diff.gz
 0f84c37a655113a7d89255569774b530c457404ee94fade2685bfd8c4b5dfdff 33304 python-beaker_1.5.4-4+squeeze1_all.deb
 52ef8c4272f2ca2a82f6581aa0edb39651b8052cf2b779105ab7df86bd65bf65 33284 python3-beaker_1.5.4-4+squeeze1_all.deb
Files: 
 99ce2ed4cc8be7ebddeb8db732f68d3f 2122 python optional beaker_1.5.4-4+squeeze1.dsc
 de84e7511119dc0b8eb4ac177d3e2512 46238 python optional beaker_1.5.4.orig.tar.gz
 412446990d36a0f27fcfb652e7e0bf22 5767 python optional beaker_1.5.4-4+squeeze1.diff.gz
 57a6048cb010460957445b0531096e89 33304 python optional python-beaker_1.5.4-4+squeeze1_all.deb
 aec6971e8848ff2f10e01d9cce1f8435 33284 python optional python3-beaker_1.5.4-4+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQSjQxAAoJELgqIXr9/gny+YUP/AlHxhgop26ZSZCv5k9k3H65
hfE9YdfPQoLMQ787vrIgRoeQR4/m00pDJR2Lg5R2s3eA3mgINjqVrQjOxokXdiMH
C7TX5vSnPYW861IFVP7lculoNorZ95Dvz/IQLkpqyZNImYdNn/6MdOnB+/A1H1EO
7P7wYA7dVU6fCzaGaCKrmNpbYonD/PZw2Ot5aH4P4vZvtoml/QChhNvQym1iszF0
yCSJpJr2jNIsJXiw8SdGL10th+98ZdX+YPvpRw2T8PFjaRp9Tudhw1pZiWMlJZNR
rFmCrWyfnvtzDj+924XDnWKXXhGg0DR61h7zWfe9X8I4ZvNLcscTLIoPUyz2L4l5
ZdubgAj406kgXF3SgHe7Y8D3H9Z8sBYiqIZmyZzXqTY1yI96Uzz/HA9BrSsV1HrT
Pmk3lrwffNfhMjrM9X6Lgiq1VBGV7qqVYIsguYJetWVv3ho1p0+GYVErZ9Gf94NW
jugXrOX1d7vBbZCrxQVdTkg4WhOZET4HmlZHmSJIZwP/5gY4x2E1ttvOclXmj6cv
vVv14aacqvJ6ip+joGikDqwn9z9tAVrlsmOk1Apl8TSxAFTTv5RBYMbhjKMS2C9G
HYp26mE6Ii96VsRN9x0gqj6dRkUG6kz6ws5vTDltdksym5wOKgHvtZGwEZYc1L9f
IUkP1Ip09lFTMKpP6fJb
=ctCX
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Oct 2012 07:27:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:30:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.