-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0856
                          beaker security update
                             10 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           beaker
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-3458  

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2541

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running beaker check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2541-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
September 07, 2012                     http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : beaker
Vulnerability  : information disclosure
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-3458
Debian Bug     : 684890

It was discovered that Beaker, a cache and session library for Python,
when using the python-crypto backend, is vulnerable to information
disclosure due to a cryptographic weakness related to the use of the
AES cipher in ECB mode.

Systems that have the python-pycryptopp package should not be
vulnerable, as this backend is preferred over python-crypto.

After applying this update, existing sessions will be invalidated.

For the stable distribution (squeeze), this problem has been fixed in
version 1.5.4-4+squeeze1.

For the testing distribution (wheezy), and the unstable distribution
(sid), this problem has been fixed in version 1.6.3-1.1.

We recommend that you upgrade your beaker packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBKQM8ACgkQYy49rUbZzlqtCACfQ/8IrKLutI2FJ0WdOb/hn5J9
RDMAoIVtEWqnuCTrf5Upo0VVXz03lZqZ
=bxKK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUE2GXu4yVqjM2NGpAQIK8g/+N0BexZyjNqmzoTxPgvCpxI2Ahpfw1Y/V
591QUYAMtHsx2oJYArwxdyB+p/LLKvTemjBjghTqg6/bCEMHXZrlW7wjJIASbur7
52LVUVQOEzd0UiVaYIPwdl2vY0ZHs2MMNn23AYJK/pXJguMStH0KT6MEY6yaGdgo
hSFTuwncwab2s8BPhlUGJxaENoMv+ISvPXS0Iflcadsm9HfI+TycoA44JqvZqedq
yExGIieURB0q1PJxhgcF2SoD9t553bzDT71rmJLp6BWz/7H6bo6HYxPukRU/EvYe
EMdWCAPzNEubjRJVKIs+ot4HBbQq7XYNHh1LrSjeJitejKNIpeTplOkH1A0ebvF9
WbTutOSbGZfdNG95TP9lQ2SMUENsL0s8hsZK8RuOtj71K3fxZALPMzVNO3++U0Iu
2nVuFOpYlVN0t4V6V/OtJ4wV+2zuP4py4zDrjkNcm8WSVosCIAxFPs5MoumjFaJq
kg7uTCVxIrn0GOFm9myNaSxUHB4lvtmD7DYhi99jtdGR4G4wasbOBTYEron+Heid
RBttL0YKppqWc+5bLNnEMFzN+QUsAizDjQghflugs80EfQ9aGT1+KBiPLZvU2SkX
uDZ3bA5GWyKt3M1yKfg5BGnOpE9XKkv03lPF4q0MRquRDD1W7XGJ1U5wCmZG7j4Z
44gFyfuaOHg=
=GDh5
-----END PGP SIGNATURE-----