Your message dated Sun, 23 Sep 2018 20:54:43 +0200
with message-id <153772888340.1927.12643460464950677...@auryn.jones.dk>
and subject line Re: radicale: htpasswd authentication vulnerable to
timing-based bruteforce attacks
has caused the Debian Bug report #861514,
regarding radicale: CVE-2017-8342: htpasswd authentication vulnerable to
timing-based bruteforce attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: radicale
Version: 2.0.0~rc1-1
Severity: grave
Tags: security patch
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Upstream has issued a security release:
> Add a random timer to avoid timing oracles and simple bruteforce
> attacks when using the htpasswd authentication method.
Actual patch:
commit 190b1dd795f0c552a4992445a231da760211183b
Author: Guillaume Ayoub <guillaume.ay...@kozea.fr>
Date: Wed Apr 19 14:02:51 2017 +0200
Random timer to avoid timing oracles and simple bruteforce attacks
Important note: this is a security fix.
diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py
index 2c73f23..7cd7342 100644
- --- a/radicale/auth/htpasswd.py
+++ b/radicale/auth/htpasswd.py
@@ -56,7 +56,8 @@ following significantly more secure schemes are parsable by
Radicale:
import base64
import hashlib
import os
- -
+import random
+import time
from .. import config
@@ -161,7 +162,10 @@ def is_authenticated(user, password):
if strippedline:
login, hash_value = strippedline.split(":")
if login == user:
- - # Allow encryption method to be overridden at runtime.
- - return _verifuncs[ENCRYPTION](hash_value, password)
+ if _verifuncs[ENCRYPTION](hash_value, password):
+ # Allow encryption method to be overridden at runtime.
+ return True
+ # Random timer to avoid timing oracles and simple bruteforce attacks
+ time.sleep(1 + random.random())
return False
- Jonas
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFFlgACgkQLHwxRsGg
ASGQqQ//R1opffxilx3a60NOJffpD/2LCp0jecAd2hVeeTIwI8BcwEg4nY8jpCXo
6z7Y2ay758etRyJ54Jwga53PKqijHFrtLhL+oUyPebtMfWqtoR5cZhTvD9IC4GFP
bqK4ZVsop9lyvjD9+TdGAAL3/4FsQnYJctYvbWoTcSr+BcAvgmSgarxGiCr/jw2Z
iCMSi/0bcBoG4j19BrrAydP/l06yC5t8Mee3UmpswTNL3bTVqXN/zT81koy9m08a
1R9bKcggwQCQNtYXXtKkS545NuXdePpAoCo4ss67GjgwQoEua+GIMbR0KOLsGQoy
Fg7Nlc/a/UzZLy1OZgLSOV6Y5QvJHcNJY1hTGiKihgLI4uUso+wJbTMvrJhxlrQ3
IgzgKFqnySwLkxkXlA12pJK5pQL3kfxwXwf9otgOfsXcod9eMwuweLC088y3KXxN
ooNSxiJsFPoUU1C4oNczA/W+/O0EIZcYu4E9H9F9pR1SC3/YXylPySOUo6kVTRzf
Ggi+gSJE6pg5QmKLUqTV44RARSwaUbH8jVaS1SPZWIa+fzzbcIZmBF3ZKfA17ddk
k1bHHkVDtsQs7vn7l4ahQHR0izkciU8VkkUL3AFvtIv8PvhJtxpWihc8ewLVfoyC
Aej4omZuxTT3kXbO4aAkzeuKnsyTa20CRHNE6MHQUCVEHw6cN4U=
=HguT
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 2.0.0~rc2-1
Quoting Jonas Smedegaard (2017-04-30 00:40:27)
> Upstream has issued a security release:
>
> > Add a random timer to avoid timing oracles and simple bruteforce
> > attacks when using the htpasswd authentication method.
This was fixed since 2.0.0~rc2-1.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
--- End Message ---
