Add known Python vulnerabilities.
Thanks to Hanno Schlichting for sending me this information and allowing me to quote him.
This commit is contained in:
parent
848fcd1b33
commit
6327bd6b41
34
pep-0506.txt
34
pep-0506.txt
|
@ -314,12 +314,29 @@ Frequently Asked Questions
|
||||||
state of MT [#]_ [#]_ and so predict all past and future values. There
|
state of MT [#]_ [#]_ and so predict all past and future values. There
|
||||||
are a number of known, practical attacks on systems using MT for
|
are a number of known, practical attacks on systems using MT for
|
||||||
randomness [#]_.
|
randomness [#]_.
|
||||||
|
|
||||||
|
* Q: Attacks on PHP are one thing, but are there any known attacks on
|
||||||
|
Python software?
|
||||||
|
|
||||||
While there are currently no known direct attacks on applications
|
A: Yes. There have been vulnerabilities in Zope and Plone at the very
|
||||||
written in Python due to the use of MT, there is widespread agreement
|
least. Hanno Schlichting commented [#]_::
|
||||||
that such usage is unsafe.
|
|
||||||
|
|
||||||
* Q: Is this an alternative to specialise cryptographic software such as SSL?
|
"In the context of Plone and Zope a practical attack was
|
||||||
|
demonstrated, but I can't find any good non-broken links about
|
||||||
|
this anymore. IIRC Plone generated a random number and exposed
|
||||||
|
this on each error page along the lines of 'Sorry, you encountered
|
||||||
|
an error, your problem has been filed as <random number>, please
|
||||||
|
include this when you contact us'. This allowed anyone to do large
|
||||||
|
numbers of requests to this page and get enough random values to
|
||||||
|
reconstruct the MT state. A couple of security related modules used
|
||||||
|
random instead of system random (cookie session ids, password reset
|
||||||
|
links, auth token), so the attacker could break all of those."
|
||||||
|
|
||||||
|
Christian Heimes reported this issue to the Zope security team in 2012 [#]_,
|
||||||
|
there are at least two related CVE vulnerabilities [#]_, and at least one
|
||||||
|
work-around for this issue in Django [#]_.
|
||||||
|
|
||||||
|
* Q: Is this an alternative to specialist cryptographic software such as SSL?
|
||||||
|
|
||||||
A: No. This is a "batteries included" solution, not a full-featured
|
A: No. This is a "batteries included" solution, not a full-featured
|
||||||
"nuclear reactor". It is intended to mitigate against some basic
|
"nuclear reactor". It is intended to mitigate against some basic
|
||||||
|
@ -421,6 +438,15 @@ References
|
||||||
|
|
||||||
.. [#] https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf
|
.. [#] https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf
|
||||||
|
|
||||||
|
.. [#] Personal communication, 2016-08-24.
|
||||||
|
|
||||||
|
.. [#] https://bugs.launchpad.net/zope2/+bug/1071067
|
||||||
|
|
||||||
|
.. [#] http://www.cvedetails.com/cve/CVE-2012-5508/
|
||||||
|
http://www.cvedetails.com/cve/CVE-2012-6661/
|
||||||
|
|
||||||
|
.. [#] https://github.com/django/django/commit/1525874238fd705ec17a066291935a9316bd3044
|
||||||
|
|
||||||
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036157.html
|
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036157.html
|
||||||
|
|
||||||
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036476.html
|
.. [#] https://mail.python.org/pipermail/python-ideas/2015-September/036476.html
|
||||||
|
|
Loading…
Reference in New Issue