[Secure-testing-team] Bug#882012: python-pysaml2: CVE-2017-1000246: Reuse of AES initialization vector in AESCipher / UsernamePasswordMako / Server
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 17 15:59:07 UTC 2017
Source: python-pysaml2
Version: 3.0.0-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/rohe/pysaml2/issues/417
Hi,
the following vulnerability was published for python-pysaml2.
CVE-2017-1000246[0]:
| Python package pysaml2 version 4.4.0 and earlier reuses the
| initialization vector across encryptions in the IDP server, resulting
| in weak encryption of data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000246
[1] https://github.com/rohe/pysaml2/issues/417
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list