Bug 434576 (CVE-2012-2146)

Summary:	<dev-python/elixir-0.7.1-r1: Information disclosure (CVE-2012-2146)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=810013
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2012-09-10 12:14:50 UTC

CVE-2012-2146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2146):
  Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique
  initialization vector (IV), which makes it easier for context-dependent
  users to obtain sensitive information and decrypt the database.

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2012-11-12 15:08:35 UTC

revbumped with security patch CVE-2012-2146 added to files, 

dev-python/elixir $ ebuild elixir-0.7.1-r1.ebuild clean install
running install_scripts
>>> Completed installing elixir-0.7.1-r1 into /mnt/gen2/TmpDir/portage/dev-python/elixir-0.7.1-r1/image/

runs fine

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-11-13 00:14:10 UTC

(In reply to comment #1)
> revbumped with security patch CVE-2012-2146 added to files, 
> 
> dev-python/elixir $ ebuild elixir-0.7.1-r1.ebuild clean install
> running install_scripts
> >>> Completed installing elixir-0.7.1-r1 into /mnt/gen2/TmpDir/portage/dev-python/elixir-0.7.1-r1/image/
> 
> runs fine

Thanks, Ian. Please don't forget to drop the vulnerable version. 

Closing noglsa for ~arch only.