Bug#675379: marked as done (python-keyring: CryptedFileKeyring is insecure)

[Debian Bug Tracking System]

Your message dated Mon, 30 Jul 2012 21:50:00 +0000
with message-id <e1svxqi-0000z7...@franck.debian.org>
and subject line Bug#675379: fixed in python-keyring 0.9.2-1
has caused the Debian Bug report #675379,
regarding python-keyring: CryptedFileKeyring is insecure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
675379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675379
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: python-keyring
Version: 0.7.1-1
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Due to recent changes in python-crypto it has been discovered that
python-keyring's CryptedFileKeyring uses AES/CFB in an insecure way. CFB
requires an unpredictable IV, but CryptedFileKeyring doesn't even pass one.
In previous versions of python-crypto it was possible to omit the IV and it
was set to '\0' * 16 in that case. Starting with 2.6 it is mandatory to
specify an IV.

Please see LP: #1004845 [1] for a detailed discussion of the issue.

Kind regards

[1] https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (650, 'unstable'), (601, 'testing'), (600, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-keyring depends on:
ii  python     2.7.2-10
ii  python2.6  2.6.7-4
ii  python2.7  2.7.3~rc2-2.1

Versions of packages python-keyring recommends:
ii  python-crypto  2.6-2

python-keyring suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPx7HmAAoJEGny/FFupxmTFggQALhVKijeI3ClwADBkkeTtbA5
w08Fgkoqfnr90K7YIHf6UolISDwfUg5P1D1Bq9ablCef/EVe4mCSI/uRHQjL+96K
q9Kmw1SThxlDfozc1n6Jn1TqpEgMwJ4eH4tCAiOQHVEqUmWetMe74hVBj563gfdO
G68OAlrhl0tyl8JVM60Tj4bvcuoFvnUR9nZd+qE/G3lweWD9NL+HDuuocXXLEQNb
piLkLMeEq/PqfG0f1qMWXeDJTzr6Zm05k2xAqHP7ejj62iKeOViV3Abri/Zecy/d
qm2kUZRQkkYJP2ef7W3z9AnQVfu6CX7t2L74JOHEb20BlyQhT8aoGrSGZxKjHjHU
3kTfXGHuV0dbHXkPJ+IoG+qtYSBFVHlSQW/Rg7GOp4PxBVDXLw/zb64jJ9BG3ovq
AvRiDRRQpheY+WODuA/XHgeuaiWXsOfkVtsJowbtLK4L8DefBGI2I3xFbsLMkRGc
woWbyizPjPPpEmKiG9hpN0W0/8fpdhJoVrjw840DahP12SQmrccSGUf0Vq6cp4BW
LsPRfsskHYuO6G3aYwxHpjuX58S53+Viq2QeWos4vqOgRzyuCihQ3Sfki8ubztR1
vTK5F8NdlfsBfXGsrx6c0gx5jwCdg2aBjkqpnFPl9x4ewRxIzApGrsj6FRKwt/KA
xNuOBLsutj3z5FihNfbY
=rFa+
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: python-keyring
Source-Version: 0.9.2-1

We believe that the bug you reported is fixed in the latest version of
python-keyring, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 675...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Carl Chenet <cha...@debian.org> (supplier of updated python-keyring package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 30 Jul 2012 20:14:42 +0200
Source: python-keyring
Binary: python-keyring python3-keyring
Architecture: source all
Version: 0.9.2-1
Distribution: unstable
Urgency: low
Maintainer: Carl Chenet <cha...@debian.org>
Changed-By: Carl Chenet <cha...@debian.org>
Description: 
 python-keyring - store and access your passwords safely
 python3-keyring - store and access your passwords safely - Python 3 version of 
the
Closes: 675379 678682
Changes: 
 python-keyring (0.9.2-1) unstable; urgency=low
 .
   * New upstream release (Closes: #675379, #678682)
   * debian/control
     - Bump Standards-Version to 3.9.3
     - Switch uploader cha...@ohmytux.com to cha...@debian.org
   * debian/rules
     - Remove unittests executions
Checksums-Sha1: 
 ccf931960279aa065d5ef6e12b09dcd9e7f926d2 2144 python-keyring_0.9.2-1.dsc
 469d5e1507a9d7d9b6ca508552948e9884ee99eb 31557 python-keyring_0.9.2.orig.tar.gz
 1d0f69c95c6343eee0c979b3337e77d578c4c6cd 6604 
python-keyring_0.9.2-1.debian.tar.gz
 b0d809932cddc8cc3fecc3591c767749e56fb7ed 41972 python-keyring_0.9.2-1_all.deb
 b521dcaa50db65e09539acf10505590efbc04ffb 34620 python3-keyring_0.9.2-1_all.deb
Checksums-Sha256: 
 57310bc31a054c618ab1a99ffedbc79c2f529e5677cb3160ac1b26e384570a2d 2144 
python-keyring_0.9.2-1.dsc
 58e1cd4f23d8b59c5da8285a89ef9946a5b42cba7b03a117844e5b6be0a538e3 31557 
python-keyring_0.9.2.orig.tar.gz
 fec6feee2964ebccd59432c4c86fd19e897136a29fad2b2679b7949f36334c5b 6604 
python-keyring_0.9.2-1.debian.tar.gz
 9ef906343f9be191ef44003dc4eb63915ff8c7b3dfe9f7f3df849a9984440802 41972 
python-keyring_0.9.2-1_all.deb
 7fb691f93835c0552ce08c7406d3b662f133d96de052133744051c35e17a5e66 34620 
python3-keyring_0.9.2-1_all.deb
Files: 
 4059fbe9153139b0a759181bcf0be490 2144 python optional 
python-keyring_0.9.2-1.dsc
 0980b7544cf92ff39bffbf18519672f9 31557 python optional 
python-keyring_0.9.2.orig.tar.gz
 7cda3b92aed761e1086a3bb2c01fcaf0 6604 python optional 
python-keyring_0.9.2-1.debian.tar.gz
 407ac89a943358799cc5f5fe412e0c73 41972 python optional 
python-keyring_0.9.2-1_all.deb
 bbe4a11b22ba99658b21199da239c596 34620 python optional 
python3-keyring_0.9.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQFv8ZAAoJEAJwonWM1zbiODEP+gIZiFIWRM7MKAAgNNUCqkFG
gUW1/bdCHMR5HpaPMsaLL5t9oNi42OXH+SRCPcOerDlTFQ4uTk5RRUUwhzw1Siag
eS3Ya8d/Z3ICOjvFSvKbD2qEaNFNMLoiObZ0WCz69Q/hP+FPcO6oDDzcktoJWPlZ
fcYJBt2r+3W2dElN7eBWdLrnT7zgWjhBazKvbCcjCZ9SwgEih7HVNyp9qfizB9G4
kJ1jaMVRl4VFgkR/Gw9E8i9HIVF0mf7kcKxOYspSNCynIm7sJSuA1gBn60hR5Ojt
y3uA5I8BBNAqTdxJ7rJdbUcyURrqAdmCyMeWw5FhqPhazQRvXRmv9DHeeyg8akYq
YYKU7VH24bHel58CLMupaAeigalr296ssovnf9GbwfhBdvibGZHYQG+ZR97/+VJN
b4xg7gq/caPCP7kSPMWvoykdzKEpdPV0cAKaBExNN7qusOcF9S8nK5uKk6QfiaX7
cWLzlR4Szx7FFtW9Yn+NvDI4deAKOSHlbh4qoBu52siyYTp9IvBn+cDnoOrWrJdT
rMYIcmxZG/FyOh3A84YSLEIwk9CKXHRyg1IvMOeuJG+zW5eevblQf3Lfoqg8irOp
jsoBa767Fr1hFRohtTvGO4NrwdUMJbPTViugiBthlhLpjV7lx5vFhO4ffElfaheT
hBkG80Q/KhISDHucxGWj
=KkUf
-----END PGP SIGNATURE-----

--- End Message ---