Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488228 (CVE-2013-1895) - <dev-python/py-bcrypt-0.3 - Multiple threads may hash into the same memory, potentially used to bypass password checking (CVE-2013-1895)
Summary: <dev-python/py-bcrypt-0.3 - Multiple threads may hash into the same memory, p...
Status: RESOLVED FIXED
Alias: CVE-2013-1895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://code.google.com/p/py-bcrypt/s...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks: 490052
  Show dependency tree
 
Reported: 2013-10-16 14:25 UTC by René 'Necoro' Neumann
Modified: 2013-11-22 08:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
py-bcrypt-0.4.ebuild (py-bcrypt-0.4.ebuild,676 bytes, text/plain)
2013-11-01 16:06 UTC, René 'Necoro' Neumann 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description René 'Necoro' Neumann 2013-10-16 14:25:36 UTC 
Version 0.4 (and 0.3) have been released for dev-python/py-bcrypt (0.2 is in the tree).

version 0.3 fixes a security bug (cf. https://code.google.com/p/py-bcrypt/source/detail?r=3bc365ff43736d26ff37e9f2a4084f37b381b569 )

version 0.4 brings py3-support

I will attach an ebuild patch when I tested it.

Btw: Homepage has changed to the one above.
Comment 1 René 'Necoro' Neumann 2013-11-01 16:06:50 UTC 
Created attachment 362392 [details]
py-bcrypt-0.4.ebuild

An ebuild for the 0.4 version. Removes outdated stuff and adds python_test.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-17 22:53:14 UTC 
0.4 is in tree
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2013-11-19 06:01:58 UTC 
Maintainer(s), please cleanup.

No stable builds available - noglsa is needed.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-19 06:13:27 UTC 
removed 0.2
Comment 5 Sergey Popov gentoo-dev 2013-11-22 08:15:53 UTC 
Cleanup was done, GLSA is not needed.