Security Information / 2012 / Security Information -- DSA-2541-1 beaker

Debian Security Advisory

DSA-2541-1 beaker -- information disclosure

Date Reported:

07 Sep 2012

Affected Packages:

beaker

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 684890.
In Mitre's CVE dictionary: CVE-2012-3458.

More information:

It was discovered that Beaker, a cache and session library for Python, when using the python-crypto backend, is vulnerable to information disclosure due to a cryptographic weakness related to the use of the AES cipher in ECB mode.

Systems that have the python-pycryptopp package should not be vulnerable, as this backend is preferred over python-crypto.

After applying this update, existing sessions will be invalidated.

For the stable distribution (squeeze), this problem has been fixed in version 1.5.4-4+squeeze1.

For the testing distribution (wheezy), and the unstable distribution (sid), this problem has been fixed in version 1.6.3-1.1.

We recommend that you upgrade your beaker packages.