Re: about python-oauth2: CVE-2013-4347
Jakub Wilk [2013-10-09 08:40] :
> Yeah, the oss-sec mail is about using a RNG that is not suitable for
> cryptographic purposes. This can be easily fixed by using
> "random.SystemRandom" (which uses /dev/urandom) instead of the "random"
> module directly (which has a Mersenne Twister under the hood).
yes like that I think
https://github.com/pmakowski/python-oauth2/commit/d7f5cb079c9517703778bac08c7ed5591ad4487d
but it let the other CVE-2013-4346 about _check_signature() ignoring the
nonce value when validating signed urls
any idea ?
Reply to: