It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend. The encryption backend can use one of several backends, including python-crypto. With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions. An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value. When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability. In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw. In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw. Statement: Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.
This is now public: https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5 Probably also want this patch as well (to prefer nsscrypto over pycrypto): https://github.com/bbangert/beaker/commit/4733630c0359636f5ab8e1b2b33470c67b5ba4fc
Created python-beaker tracking bugs for this issue Affects: epel-5 [bug 847898]