Your message dated Sun, 23 Sep 2018 20:54:43 +0200 with message-id <153772888340.1927.12643460464950677...@auryn.jones.dk> and subject line Re: radicale: htpasswd authentication vulnerable to timing-based bruteforce attacks has caused the Debian Bug report #861514, regarding radicale: CVE-2017-8342: htpasswd authentication vulnerable to timing-based bruteforce attacks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 861514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: radicale Version: 2.0.0~rc1-1 Severity: grave Tags: security patch Justification: user security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Upstream has issued a security release: > Add a random timer to avoid timing oracles and simple bruteforce > attacks when using the htpasswd authentication method. Actual patch: commit 190b1dd795f0c552a4992445a231da760211183b Author: Guillaume Ayoub <guillaume.ay...@kozea.fr> Date: Wed Apr 19 14:02:51 2017 +0200 Random timer to avoid timing oracles and simple bruteforce attacks Important note: this is a security fix. diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 2c73f23..7cd7342 100644 - --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -56,7 +56,8 @@ following significantly more secure schemes are parsable by Radicale: import base64 import hashlib import os - - +import random +import time from .. import config @@ -161,7 +162,10 @@ def is_authenticated(user, password): if strippedline: login, hash_value = strippedline.split(":") if login == user: - - # Allow encryption method to be overridden at runtime. - - return _verifuncs[ENCRYPTION](hash_value, password) + if _verifuncs[ENCRYPTION](hash_value, password): + # Allow encryption method to be overridden at runtime. + return True + # Random timer to avoid timing oracles and simple bruteforce attacks + time.sleep(1 + random.random()) return False - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFFlgACgkQLHwxRsGg ASGQqQ//R1opffxilx3a60NOJffpD/2LCp0jecAd2hVeeTIwI8BcwEg4nY8jpCXo 6z7Y2ay758etRyJ54Jwga53PKqijHFrtLhL+oUyPebtMfWqtoR5cZhTvD9IC4GFP bqK4ZVsop9lyvjD9+TdGAAL3/4FsQnYJctYvbWoTcSr+BcAvgmSgarxGiCr/jw2Z iCMSi/0bcBoG4j19BrrAydP/l06yC5t8Mee3UmpswTNL3bTVqXN/zT81koy9m08a 1R9bKcggwQCQNtYXXtKkS545NuXdePpAoCo4ss67GjgwQoEua+GIMbR0KOLsGQoy Fg7Nlc/a/UzZLy1OZgLSOV6Y5QvJHcNJY1hTGiKihgLI4uUso+wJbTMvrJhxlrQ3 IgzgKFqnySwLkxkXlA12pJK5pQL3kfxwXwf9otgOfsXcod9eMwuweLC088y3KXxN ooNSxiJsFPoUU1C4oNczA/W+/O0EIZcYu4E9H9F9pR1SC3/YXylPySOUo6kVTRzf Ggi+gSJE6pg5QmKLUqTV44RARSwaUbH8jVaS1SPZWIa+fzzbcIZmBF3ZKfA17ddk k1bHHkVDtsQs7vn7l4ahQHR0izkciU8VkkUL3AFvtIv8PvhJtxpWihc8ewLVfoyC Aej4omZuxTT3kXbO4aAkzeuKnsyTa20CRHNE6MHQUCVEHw6cN4U= =HguT -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Version: 2.0.0~rc2-1 Quoting Jonas Smedegaard (2017-04-30 00:40:27) > Upstream has issued a security release: > > > Add a random timer to avoid timing oracles and simple bruteforce > > attacks when using the htpasswd authentication method. This was fixed since 2.0.0~rc2-1. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep privatesignature.asc
Description: signature
--- End Message ---