Red Hat Bugzilla – Bug 809267
CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
Last modified: 2012-08-13 19:29:25 EDT
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend. The encryption backend can use one of several backends, including python-crypto. With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions. An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.
When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.
In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.
In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.
Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.
This is now public:
Probably also want this patch as well (to prefer nsscrypto over pycrypto):
Created python-beaker tracking bugs for this issue
Affects: epel-5 [bug 847898]