Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 639774 (CVE-2017-1000246) - <dev-python/pysaml2-4.6.3: Information disclosure
Summary: <dev-python/pysaml2-4.6.3: Information disclosure
Status: RESOLVED FIXED
Alias: CVE-2017-1000246
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-04 14:28 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-14 09:44 UTC (History)
2 users (show)

See Also:
Package list:
=dev-python/pysaml2-4.5.0 amd64 x86
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-04 14:28:22 UTC 
CVE-2017-1000246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000246):
  Python package pysaml2 version 4.4.0 and earlier reuses the initialization
  vector across encryptions in the IDP server, resulting in weak encryption of
  data.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-04 14:29:29 UTC 
@Maintainers please call for stabilization when ready.

Thank you
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-04 16:13:29 UTC 
I'm not sure we are going to be able to clean this up any time soon, but we should at least be able to stabilize it.

https://github.com/openstack/requirements/blob/stable/pike/global-requirements.txt#L223
Comment 3 Larry the Git Cow gentoo-dev 2019-04-14 07:07:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=818d4cea619a2616e8ea576787c52b19a51884e1

commit 818d4cea619a2616e8ea576787c52b19a51884e1
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2019-04-14 07:06:42 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2019-04-14 07:06:57 +0000

    dev-python/pysaml2: cleanup for CVE
    
    Bug: https://bugs.gentoo.org/639774
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 dev-python/pysaml2/Manifest                |  1 -
 dev-python/pysaml2/pysaml2-4.0.2-r3.ebuild | 39 ------------------------------
 2 files changed, 40 deletions(-)
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-14 07:07:51 UTC 
cleaned up