Add known Python vulnerabilities.

Thanks to Hanno Schlichting for sending me this information and allowing me to quote him.
This commit is contained in:
stevendaprano 2016-08-29 21:50:33 +10:00 committed by GitHub
parent 848fcd1b33
commit 6327bd6b41
1 changed files with 30 additions and 4 deletions

View File

@ -314,12 +314,29 @@ Frequently Asked Questions
state of MT [#]_ [#]_ and so predict all past and future values. There state of MT [#]_ [#]_ and so predict all past and future values. There
are a number of known, practical attacks on systems using MT for are a number of known, practical attacks on systems using MT for
randomness [#]_. randomness [#]_.
* Q: Attacks on PHP are one thing, but are there any known attacks on
Python software?
While there are currently no known direct attacks on applications A: Yes. There have been vulnerabilities in Zope and Plone at the very
written in Python due to the use of MT, there is widespread agreement least. Hanno Schlichting commented [#]_::
that such usage is unsafe.
* Q: Is this an alternative to specialise cryptographic software such as SSL? "In the context of Plone and Zope a practical attack was
demonstrated, but I can't find any good non-broken links about
this anymore. IIRC Plone generated a random number and exposed
this on each error page along the lines of 'Sorry, you encountered
an error, your problem has been filed as <random number>, please
include this when you contact us'. This allowed anyone to do large
numbers of requests to this page and get enough random values to
reconstruct the MT state. A couple of security related modules used
random instead of system random (cookie session ids, password reset
links, auth token), so the attacker could break all of those."
Christian Heimes reported this issue to the Zope security team in 2012 [#]_,
there are at least two related CVE vulnerabilities [#]_, and at least one
work-around for this issue in Django [#]_.
* Q: Is this an alternative to specialist cryptographic software such as SSL?
A: No. This is a "batteries included" solution, not a full-featured A: No. This is a "batteries included" solution, not a full-featured
"nuclear reactor". It is intended to mitigate against some basic "nuclear reactor". It is intended to mitigate against some basic
@ -421,6 +438,15 @@ References
.. [#] https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf .. [#] https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf
.. [#] Personal communication, 2016-08-24.
.. [#] https://bugs.launchpad.net/zope2/+bug/1071067
.. [#] http://www.cvedetails.com/cve/CVE-2012-5508/
http://www.cvedetails.com/cve/CVE-2012-6661/
.. [#] https://github.com/django/django/commit/1525874238fd705ec17a066291935a9316bd3044
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036157.html .. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036157.html
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036476.html .. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036476.html