Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1485
python-crypto security update
21 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-crypto
Publisher: Debian
Operating System: Debian GNU/Linux 6
Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1445
Original Bulletin:
http://www.debian.org/security/2013/dsa-2781
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running python-crypto check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2781-1 security@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
October 18, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : python-crypto
Vulnerability : PRNG not correctly reseeded in some situations
Problem type : local
Debian-specific: no
CVE ID : CVE-2013-1445
Debian Bug :
A cryptographic vulnerability was discovered in the pseudo random number
generator in python-crypto.
In some situations, a race condition could prevent the reseeding of the
generator when multiple processes are forked from the same parent. This would
lead it to generate identical output on all processes, which might leak
sensitive values like cryptographic keys.
For the oldstable distribution (squeeze), this problem has been fixed in
version 2.1.0-2+squeeze2.
For the stable distribution (wheezy), this problem has been fixed in
version 2.6-4+deb7u3.
For the testing distribution (jessie), this problem has been fixed in
version 2.6.1-2.
For the unstable distribution (sid), this problem has been fixed in
version 2.6.1-1.
We recommend that you upgrade your python-crypto packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBCgAGBQJSYY6gAAoJEG3bU/KmdcClrR8H/jFkzhCqg52Qyg7jpvqVmCT2
7Xc5xbkfk9zB7DNKrFD16ORnI4NzaWrj56mVz7ZkG/R1yHD8xM7m0Xb2m//EKDMu
Of2YdHqmT0T4T1qZ85Se6uAlnzbwzgz3URdBsFQzKFJ59/2khzm4noZlw60OBc/J
1iWGbFu6fnMPjTrv4x3IrJohrXEK5wX8bCKx5XPHA3x7X5M1nUlHu87Oen6cFZYU
8IIc9+zj5R9j2QT4vb+UMxVkrDN6d54qQ8xYNRLpIySfasNDqStEq+8g8lLr/Jcr
l9IqgKPeqaRoEyHMAF8AMV/+JIzvejwNioWgOzTIv4JSuLLlPCXG05y5fhsY1ns=
=uR3G
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUmR7dhLndAQH1ShLAQJjVhAAsVxNdkKsYcpf/kIU9yo6sgFgjaCGnT4Y
I2xRa/Sn+ikPgfoRsuqyBiq0tyrhBShNcir8VNrNiLiVgWLN1jb5NyVIQD0PDclx
jMR33WEPEWTE85DcJ5ZuVmELmvVcVN29DsNpifsa23kPq7bAB5ldSIvo82o5G1/n
hOtZOAQwcvya7bkHlyDHgf/dT6T9p2jdiHkohfDGWKfMx2lyow4EjNJpwRRkMGwB
CBQJlo3c29rvx3GMut3QZ035++JGoPs+a7YSwAYxRy3XjyVo8tb6lSkOx2w5MktJ
hpebMFfAhGM2GKZq7hC/nWiQ+GJpgs0M1gXUsY01BFr9i+oCnUfsz96ERzVO1rnH
/QDdXCyum12rDWLxPJ8gRDFFmyg1JrFbZKY9hP8Nap153dbfqraR2HI183tiI9iw
xEVOn+s9tMS3yI90MwkMAXE+/3uf0pvK7c1Yw4lzj+TGLt+0NwFAptwVi7JXokOK
6H1ZjX4OIZ6SCGqJBv+TBgJK/di9lX4CLa3HziPXFIHjRGt7Z1poertY0FRNFzHO
9SKiUskkeGZiFqCbgJj6EON9f3fPmOK+2vyJOThGxScywy+6UlitPHnJEc1Gj3N2
wrZKEkrCXko6oyTET+lmy94MucqOTsDrt4T5qZ1HpyMO40IdrUtNgaLU6e9N8G/E
hheeSDbJP3U=
=bNpd
-----END PGP SIGNATURE-----