Bug 872260 (CVE-2012-4571)
Summary: | CVE-2012-4571 python-keyring: weak encryption in keyring | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | gmollett, jrusnack, p, rtnpro |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-keyring 0.9.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-03 07:00:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 872262 | ||
Bug Blocks: | 1037470 |
Description
Vincent Danen
2012-11-01 16:26:26 UTC
While this does affect EPEL6, I'm not going to file a tracking bug as I don't believe it can be fixed unless/until Red Hat Enterprise Linux 6 provides PyCrypto 2.5. I am far from a crypto expert so I don't know if there is a way to replace the use of PBKDF2 with something else (FWIW, PBKDF1 is also only provided in 2.5, and I don't know if any other reasonable key derivation functions exist in earlier versions). This should be fixed in Fedora, however. Created python-keyring tracking bugs for this issue Affects: fedora-all [bug 872262] *** Bug 827178 has been marked as a duplicate of this bug. *** python-keyring-3.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. python-keyring-3.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Statement: Red Hat Product Security has rated this issue as having Low security impact in Red Hat OpenStack Platform 4.0. This issue is not currently planned to be addressed in future updates. |