Bug 457733 (CVE-2008-2316)
Summary: | CVE-2008-2316 python: integer overflow in hashlib module | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED UPSTREAM | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | james.antill, jlieskov, jonathansteffan, vdanen, zaitcev | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2316 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-12-23 18:50:03 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Tomas Hoger
2008-08-04 11:34:44 UTC
Created attachment 313349 [details]
David Remahl's patch against trunk
Issue was discovered and reported by David Remahl of the Apple Product Security team. Attached is David's proposed patch against trunk.
Created attachment 313350 [details]
David Remahl's patch against 2.5 branch
Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Affected module was only added in Python 2.5: http://www.python.org/download/releases/2.5/NEWS.txt - Added the hashlib module. It provides secure hash functions for MD5 and SHA1, 224, 256, 384, and 512. Note that recent developments make the historic MD5 and SHA1 unsuitable for cryptographic-strength applications. In <http://mail.python.org/pipermail/python-dev/2005-December/058850.html> Ronald L. Rivest offered this advice for Python: "The consensus of researchers in this area (at least as expressed at the NIST Hash Function Workshop 10/31/05), is that SHA-256 is a good choice for the time being, but that research should continue, and other alternatives may arise from this research. The larger SHA's also seem OK." This has been addressed in Patch998 in the current F-10 python branch. Do we close this? Has this been addressed everywhere? *** Bug 655459 has been marked as a duplicate of this bug. *** |