[Python-modules-team] Bug#796853: python-bcrypt: passlib says this library is broken
Brian May
bam at debian.org
Mon Aug 24 23:19:29 UTC 2015
Package: python-bcrypt
Version: 0.4-2+b1
Severity: grave
Tags: security
Justification: renders package unusable
According to https://pythonhosted.org/passlib/history.html:
"It will now issue a PasslibSecurityWarning if the active backend is
vulnerable to the wraparound bug, and automatically enable a workaround
(py-bcrypt is known to be vulnerable as of v0.4)."
After running the tests, you get the following passlib warning:
/«PKGBUILDDIR»/passlib/handlers/bcrypt.py:320: UserWarning:
passlib.hash.bcrypt: Your installation of the 'pybcrypt' backend is
vulnerable to the bsd wraparound bug, and should be upgraded or replaced
with another backend (this warning will be fatal under passlib 1.7)
"(this warning will be fatal under passlib 1.7)" % backend)
python-bcrypt is py-bcrypt 0.4
https://pypi.python.org/pypi/py-bcrypt/0.4
The recommended library to use is bcrypt:
https://pypi.python.org/pypi/bcrypt
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-rc6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python-bcrypt depends on:
ii libc6 2.19-18
ii python 2.7.9-1
python-bcrypt recommends no packages.
python-bcrypt suggests no packages.
-- no debconf information
More information about the Python-modules-team
mailing list