Re: about python-oauth2: CVE-2013-4347

To: debian-python@lists.debian.org
Subject: Re: about python-oauth2: CVE-2013-4347
From: Philippe Makowski <pmakowski@espelida.com>
Date: Sat, 19 Oct 2013 15:27:44 +0200
Message-id: <[🔎] 526288D0.8000201@espelida.com>
In-reply-to: <[🔎] 526193EB.3090201@espelida.com>
References: <[🔎] 52547D33.7070600@espelida.com> <[🔎] CAKTje6FsYgkcQY56gRUKXwcBrKXBt2M5F9ApawU0c+d-JokGZQ@mail.gmail.com> <[🔎] 20131009064018.GA3329@jwilk.net> <[🔎] 526193EB.3090201@espelida.com>

Philippe Makowski  [2013-10-18 22:02] :
> but it let the other CVE-2013-4346 about _check_signature() ignoring the
> nonce value when validating signed urls
> 
> any idea ?
maybe something like that
:https://github.com/pmakowski/python-oauth2/commit/7002422bb39bc137713933bc2e55251853830fcc


But I don't really understand this CVE since python-oauth2 Server is only :

    """A skeletal implementation of a service provider, providing protected
resources to requests from authorized consumers.


It don't intend to be a full service provider

Reply to:

References:
- about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@espelida.com>
- Re: about python-oauth2: CVE-2013-4347
  - From: Paul Wise <pabs@debian.org>
- Re: about python-oauth2: CVE-2013-4347
  - From: Jakub Wilk <jwilk@debian.org>
- Re: about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@espelida.com>

Prev by Date: Re: about python-oauth2: CVE-2013-4347
Next by Date: Packaging a module depending on python-cffi
Previous by thread: Re: about python-oauth2: CVE-2013-4347
Next by thread: Bug#725862: RFS: django-haystack/2.1.0-1 [ITP] -- database and form RGB color fields for Django
Index(es):
- Date
- Thread