Re: about python-oauth2: CVE-2013-4347

To: debian-python@lists.debian.org
Subject: Re: about python-oauth2: CVE-2013-4347
From: Paul Wise <pabs@debian.org>
Date: Wed, 9 Oct 2013 07:41:53 +0800
Message-id: <[🔎] CAKTje6FsYgkcQY56gRUKXwcBrKXBt2M5F9ApawU0c+d-JokGZQ@mail.gmail.com>
In-reply-to: <[🔎] 52547D33.7070600@espelida.com>
References: <[🔎] 52547D33.7070600@espelida.com>

On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:

> do you think that for fixing that, using
>
> return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
> i in xrange(length))
...
> would be an acceptable fix ?

No, from the announcement of this issue on oss-sec:

... the Python 'random' documentation clearly states the results are
repeatable ...

http://www.openwall.com/lists/oss-security/2013/09/12/5

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@ibphoenix.fr>
- Re: about python-oauth2: CVE-2013-4347
  - From: Jakub Wilk <jwilk@debian.org>

References:
- about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@espelida.com>

Prev by Date: about python-oauth2: CVE-2013-4347
Next by Date: Re: about python-oauth2: CVE-2013-4347
Previous by thread: about python-oauth2: CVE-2013-4347
Next by thread: Re: about python-oauth2: CVE-2013-4347
Index(es):
- Date
- Thread