|
|
Subscribe / Log in / New account

Security

A Python secrets module

By Jake Edge
October 7, 2015

A recent discussion that we covered about the default Python random number generator (RNG) has now headed off in a different direction. There was concern that the default RNG (as provided by random.random()) is not cryptographically strong, but that it is used as if it were out of ignorance. That led to suggestions of defaulting to stronger random numbers, even though that would change Python's behavior for some programs.

Since then, though, there is another proposal on the table that led to the withdrawal of PEP 504, which was proposed in that earlier discussion. That PEP was not looked on favorably by Guido van Rossum, while Steven D'Aprano's pre-PEP for a "secrets" module drew immediate support from the Python benevolent dictator for life (BDFL). The proposal still has not been formally accepted, but it has turned into PEP 506 and looks to be bound for Python 3.6.

Since Python's default RNG (as provided by random.random()) is not cryptographically strong, Nick Coghlan (and others) proposed that, by default, Python should generate crypto-strength random numbers. For those use cases that require other attributes (such as reproducibility based on a seed value) the random module would continue to use the existing default RNG (based on the Mersenne Twister algorithm). That is the now-withdrawn PEP 504. Van Rossum and others were not happy to see the semantics of the random module change when there are already mechanisms available to generate random numbers for high-security purposes (os.urandom() or the random.SystemRandom class).

D'Aprano's approach is to step up a level. One of main complaints about the existing RNG is that users who do web searches for ways to generate passwords or tokens in Python invariably end up with recommendations for using the random module in unsafe ways. Instead of changing the random module to try to avoid unsafe uses, D'Aprano is proposing adding a new module that will provide both crypto-strength random numbers and higher-level functions to generate passwords, tokens, and other security-sensitive objects that require strong random numbers. It would, effectively, add "batteries" (after all, Python is said to have "batteries included") that would help users bypass the random module which is seen as "an attractive nuisance when it comes to generating (for example) passwords or secure tokens".

Van Rossum's response to the pre-PEP suggested that an initial set of functions that would be provided by the secrets module should be added to the PEP. As Tim Peters noted, that is an invitation for bikeshedding: "I'll get it started :-)". He proposed promoting some of the methods from the SystemRandom class to top-level functions in the secrets module (for things like randrange(), randbits(), and choice()). In addition, he listed four "token" functions that would produce various types of tokens: 

 Token functions
    .token_bytes(nbytes)
        another name for os.urandom()
    .token_hex(nbytes)
        same, but return string of ASCII hex digits
    .token_url(nbytes)
        same, but return URL-safe base64-encoded ASCII
    .token_alpha(alphabet, nchars)
        string of `nchars` characters drawn uniformly
        from `alphabet`

As predicted, there was a fair amount of bikeshedding over various details of what Peters had suggested, but the basic concepts were not strongly opposed. Whether the token functions should return bytes or string types was discussed, and for those that return bytes, which encoding should be used.

Some of the names for the top-level rand*() functions were questioned, as was including some of the more derivative SystemRandom methods (e.g. randbelow() can easily be defined in terms of randrange()). There was also a question about providing a default for the number of bytes returned by the token*() functions. D'Aprano suggested using 32 as the default, with the understanding that that number may rise in the future, which seemed fairly non-controversial. The default is there to give naïve users a guideline for a current "hard-to-attack length".

As the discussion progressed, adding password generation to the secrets module seems to have fallen by the wayside, which is rather interesting since it was one of the prime motivators for the original discussion. Paul Moore suggested changing the name of the token_alpha() function to "password" or something similar. The idea would be to indicate to beginners that it is a starting point for the "generate a random password" task.

Coghlan was initially in favor of a password-generation function as part of the secrets module, but several others argued against it. To start with, the requirements for passwords differ wildly depending on their use. Some believe that secrets.password() (or its equivalent) would simply be used to generate default passwords to return from web applications, rather than in some kind of program to generate passwords to be used at various web sites. The alphabet requirements for the former are probably under the control of the programmer, while upper/lower case questions, punctuation restrictions, and other complications arise when generating passwords for other sites.

Brett Cannon pointed out that password generation is more painful than might be expected:

I can tell you it's a messy business that will just lead to never-ending complaints about "why didn't you include this as part of password alphabet" or "why did you choose that length". It just isn't worth the hassle when it isn't going to impact a majority of Python users. This can be something that web frameworks and other folks worry about.

Marc-Andre Lemburg agreed, but suggested that "the general purpose functionality of having a function which returns a string of given length and characters from a given set is useful" for creating password generators of various sorts. Those functions should not use the word "password", however. Peters piled on with the naysayers, suggesting that the documentation could provide examples of how to generate passwords that build on the tools provided by the secrets module.

Coghlan then also agreed. He noted that, like the itertools module, secrets could add "recipes" for uses like password generation to its documentation. Down the road, password generation could be considered for addition to secrets, but it doesn't need to be done immediately, because "adding things later is relatively easy, while taking them away is hard". Meanwhile, secrets without password generation still solves problems he was hoping to see solved:

Yeah, addressing the default password generation problem should work just as well as a recipe in the secrets module documentation - I see the core goal here as being to help guide folks towards using the right random number generator for security sensitive tasks, and "use the RNG in the secrets module for random secrets, and the RNG in the random module for modelling and simulation" is a much easier story to tell than explaining the technical differences between random.Random and random.SystemRandom.

Python 3.6 is still quite a ways off, as it is currently planned for the end of 2016, so there is plenty of time for the contents of the secrets module to be fully fleshed out. From the discussion so far, though, there would seem to be no real barrier to its inclusion. As Coghlan said, it will provide a clearer story for generating random numbers in Python.

Comments (1 posted)

Brief items

Security quotes of the week

Two-factor authentication is newspeak for "you can't sign in if your smartphone is broken".
Lars Marowsky-Brée

To me, Wifatch is more like a doctor who creeps into your house when you're asleep, silently injects you with the latest vaccines, throws away your cigarettes and leaves a note in your fridge recommending a healthier diet.
James Darvell

Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there's little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. [...]

But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs?

The participants hit another sticking point when they tried to determine if they should hold a second meeting. "I spent $2,000 [to come to this meeting]," Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there's a second meeting, "should at least be an option" for discussion.

Kim Zetter reports on a meeting about security disclosure policies in WIRED

The amount of video and other data these vehicles will be collecting will be immense. You can bet governments will want it, both in individual cases and en masse. Governments will want to know where every car is or was, every moment. They will make license plate scanners totally obsolete.

They will want remote control capabilities. Whether or not vehicles can be started. Whether they will keep running or automatically pull over to the side of the road to await a police vehicle (or drive into the nearest police station, with the windows and doors locked?) if they believe a suspect is inside. Whether or not you can drive if you haven't been paying your bills or are having a legal dispute. They will want the ability to block all vehicles from areas where they don't want to be observed, and shoo all vehicles already there out of the area. This means individual and en masse remote control. Pretty powerful stuff.

Lauren Weinstein ponders the implications of autonomous vehicles

Comments (1 posted)

Qubes OS 3.0 released

Joanna Rutkowska has announced the release of Qubes OS 3.0, which has a new hypervisor abstraction layer (HAL) as one of its "killer features". Qubes OS uses a hypervisor as part of its "security by compartmentalization" strategy for creating a more secure operating system. The HAL "will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really "not yet another virtualization system", but rather: a user of a virtualization system (such as Xen)." We looked at Qubes OS 3.0 back in May.

Comments (57 posted)

Ad-blocking extension AdBlock sold to new owner

Many online media outlets are reporting the news that ownership of the popular ad-blocking browser extension AdBlock has been sold to a new owner. Not to be confused with similarly named projects AdBlock Plus and AdBlock Edge, this AdBlock announced the news of the sale to its users in a pop-up window. TheNextWeb reports that AdBlock employees refused to identify the buyer. In related news, the new owner has decided to join the "Acceptable Ads" whitelisting program run by rival AdBlock Plus. An announcement on the AdBlock Plus site confirms the move, and notes that an "independent review board" will now decide which advertisements are included the Acceptable Ads whitelist. Public nominations for the board are said to be open.

Comments (58 posted)

New vulnerabilities

activemq: information disclosure

Package(s):activemq CVE #(s):CVE-2015-6524
Created:October 5, 2015 Updated:October 7, 2015
Description: From the CVE entry:

The LDAPLoginModule implementation the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.

Alerts:
Fedora FEDORA-2015-701 activemq 2015-10-04

Comments (none posted)

binutils: multiple vulnerabilities

Package(s):binutils CVE #(s):
Created:October 2, 2015 Updated:October 7, 2015
Description:

From the Debian advisory:

PR ld/12613 (no CVE assigned) - Niranjan Hasabnis discovered that passing an malformed linker script to GNU ld, part of binutils, may result in a stack buffer overflow. If the linker is used with untrusted object files, this would allow remote attackers to cause a denial of service (crash) or possibly privilege escalation.

PR binutils/18750 (no CVE assigned) - Joshua Rogers reported that passing a malformed ihex (Intel hexadecimal) file to to various commands in binutils may result in a stack buffer overflow. A similar issue was found in readelf. If these commands are used to read untrusted binaries, this would allow remote attackers to cause a denial of service (crash) or possibly privilege escalation.

Alerts:
Debian-LTS DLA-324-1 binutils 2015-10-02

Comments (none posted)

commons-httpclient: denial of service

Package(s):commons-httpclient CVE #(s):CVE-2015-5262
Created:October 1, 2015 Updated:October 12, 2015
Description: From the Debian-LTS advisory:

Trevin Beattie discovered an issue where one could observe hanging threads in a multi-threaded Java application. After debugging the issue, it became evident that the hanging threads were caused by the SSL initialization code in commons-httpclient.

This upload fixes this issue by respecting the configured SO_TIMEOUT during SSL handshakes with the server.

Alerts:
Mageia MGASA-2015-0392 jakarta-commons-httpclient 2015-10-09
Fedora FEDORA-2015-15588 jakarta-commons-httpclient 2015-10-01
Fedora FEDORA-2015-15589 jakarta-commons-httpclient 2015-10-01
Debian-LTS DLA-322-1 commons-httpclient 2015-10-01
Ubuntu USN-2769-1 commons-httpclient 2015-10-14

Comments (none posted)

fuseiso: two vulnerabilities

Package(s):fuseiso CVE #(s):CVE-2015-8836 CVE-2015-8837
Created:October 1, 2015 Updated:April 18, 2016
Description: From the Debian-LTS advisory:

Issue 1: An integer overflow, leading to a heap-based buffer overflow flaw was found in the way FuseISO, a FUSE module to mount ISO filesystem images, performed reading of certain ZF blocks of particular inodes. A remote attacker could provide a specially-crafted ISO file that, when mounted via the fuseiso tool would lead to fuseiso binary crash. This issue was discovered by Florian Weimer of Red Hat Product Security Team. The issue got resolve by bailing out before ZF blocks that exceed the supported block size of 2^17 are to be read.

Issue 2: A stack-based buffer overflow flaw was found in the way FuseISO, a FUSE module to mount ISO filesystem images, performed expanding of directory portions for absolute path filename entries. A remote attacker could provide a specially-crafted ISO file that, when mounted via fuseiso tool would lead to fuseiso binary crash or, potentially, arbitrary code execution with the privileges of the user running the fuseiso executable. This issue was discovered by Florian Weimer of Red Hat Product Security Team. The issue got resolved by checking the resulting length of an absolute path name and by bailing out if the platform's PATH_MAX value gets exceeded.

Alerts:
Debian DSA-3551-1 fuseiso 2016-04-16
Mageia MGASA-2015-0406 fuseiso 2015-10-25
Debian-LTS DLA-323-1 fuseiso 2015-10-01

Comments (none posted)

gdk-pixbuf: two vulnerabilities

Package(s):gdk-pixbuf CVE #(s):CVE-2015-7673 CVE-2015-7674
Created:October 5, 2015 Updated:March 29, 2016
Description: From the Mageia advisory:

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf before 2.32.0. This issue is triggered by the scaling of a malformed tga format image and results in a potentially exploitable crash (CVE-2015-7673).

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf before 2.32.1. This issue is triggered by the scaling of a malformed gif format image (CVE-2015-7674).

Alerts:
openSUSE openSUSE-SU-2016:1467-1 gdk-pixbuf 2016-06-01
Debian-LTS DLA-450-1 gdk-pixbuf 2016-04-30
openSUSE openSUSE-SU-2016:0897-1 gdk-pixbuf 2016-03-28
Debian-LTS DLA-434-1 gtk+2.0 2016-02-27
Gentoo 201512-05 gdk-pixbuf 2015-12-21
Debian DSA-3378-1 gdk-pixbuf 2015-10-24
Ubuntu USN-2767-1 gdk-pixbuf 2015-10-13
Arch Linux ASA-201510-6 gdk-pixbuf2 2015-10-10
Mageia MGASA-2015-0388 gdk-pixbuf2.0 2015-10-03

Comments (none posted)

jenkins-script-security-plugin: unspecified vulnerability

Package(s):jenkins-script-security-plugin CVE #(s):
Created:October 5, 2015 Updated:October 7, 2015
Description: From the Red Hat bugzilla:

Trying to access http://localhost:8080/api/xml leads to an exception.

Alerts:
Fedora FEDORA-2015-16391 jenkins-script-security-plugin 2015-10-03

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2015-6526
Created:October 2, 2015 Updated:October 7, 2015
Description:

From the Ubuntu advisory:

It was discovered that the Linux kernel's perf subsystem did not bound callchain backtraces on PowerPC 64. A local attacker could use this to cause a denial of service.

Alerts:
openSUSE openSUSE-SU-2016:2144-1 kernel 2016-08-24
Scientific Linux SLSA-2015:2152-2 kernel 2015-12-21
Red Hat RHSA-2015:2152-02 kernel 2015-11-19
Ubuntu USN-2760-1 linux-ti-omap4 2015-10-01
Ubuntu USN-2759-1 kernel 2015-10-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2015-7613
Created:October 6, 2015 Updated:October 7, 2015
Description: From the Ubuntu advisory:

Dmitry Vyukov discovered that the Linux kernel did not properly initialize IPC object state in certain situations. A local attacker could use this to escalate their privileges, expose confidential information, or cause a denial of service (system crash).

Alerts:
Oracle ELSA-2016-3503 kernel 2.6.32 2016-01-09
Oracle ELSA-2016-3503 kernel 2.6.32 2016-01-09
Oracle ELSA-2016-3502 kernel 2.6.39 2016-01-09
Oracle ELSA-2016-3502 kernel 2.6.39 2016-01-09
Scientific Linux SLSA-2015:2152-2 kernel 2015-12-21
Scientific Linux SLSA-2015:2636-1 kernel 2015-12-15
Oracle ELSA-2015-2636 kernel 2015-12-15
Red Hat RHSA-2015:2636-01 kernel 2015-12-15
Red Hat RHSA-2015:2587-01 kernel 2015-12-09
Oracle ELSA-2015-3101 kernel 3.8.13 2015-11-27
Oracle ELSA-2015-3101 kernel 3.8.13 2015-11-27
Oracle ELSA-2015-2152 kernel 2015-11-25
SUSE SUSE-SU-2015:2086-1 linux-3.12.44 2015-11-24
SUSE SUSE-SU-2015:2087-1 linux-3.12.44 2015-11-24
SUSE SUSE-SU-2015:2084-1 linux-3.12.43 2015-11-24
SUSE SUSE-SU-2015:2090-1 linux-3.12.38 2015-11-24
SUSE SUSE-SU-2015:2085-1 linux-3.12.39 2015-11-24
SUSE SUSE-SU-2015:2091-1 linux-3.12.36 2015-11-24
SUSE SUSE-SU-2015:2089-1 linux-3.12.32 2015-11-24
Red Hat RHSA-2015:2411-01 kernel-rt 2015-11-19
Red Hat RHSA-2015:2152-02 kernel 2015-11-19
Ubuntu USN-2796-1 linux-ti-omap4 2015-11-05
Ubuntu USN-2792-1 kernel 2015-11-05
Fedora FEDORA-2015-d7e074ba30 kernel 2015-11-01
SUSE SUSE-SU-2015:1727-1 kernel-source 2015-10-13
Debian-LTS DLA-325-1 linux-2.6 2015-10-12
Debian DSA-3372-1 kernel 2015-10-13
Fedora FEDORA-2015-dcc260f2f2 kernel 2015-10-09
Ubuntu USN-2765-1 linux-lts-vivid 2015-10-05
Ubuntu USN-2764-1 linux-lts-utopic 2015-10-05
Ubuntu USN-2763-1 linux-lts-trusty 2015-10-05
Ubuntu USN-2761-1 kernel 2015-10-05
Ubuntu USN-2762-1 kernel 2015-10-05

Comments (none posted)

nodejs: denial of service

Package(s):nodejs CVE #(s):CVE-2015-7384
Created:October 6, 2015 Updated:October 27, 2015
Description: From the Arch Linux advisory:

A vulnerability has been discovered in the HTTP pipeline handling that is leading to an application crash. This problem is caused by out-of-order responses being sent to the client within a single pipelined connection.

A remote attacker is able to crash the process when out-of-order responses are sent within a single pipelined connection resulting in denial of service.

Alerts:
openSUSE openSUSE-SU-2015:1825-2 nodejs 2015-10-29
openSUSE openSUSE-SU-2015:1825-1 nodejs 2015-10-27
Arch Linux ASA-201510-3 nodejs 2015-10-06

Comments (none posted)

openhpi: world writable /var/lib/openhpi directory

Package(s):openhpi CVE #(s):CVE-2015-3248
Created:October 7, 2015 Updated:December 22, 2015
Description: From the Red Hat bugzilla:

openhpi ships with the /var/lib/openhpi/ directory set world readable and writeable. If this directory is used for storing the OPENHPI_UID_MAP or other openhpi data for example an attacker would be able to view, modify and delete it. Even without such usage an attacker could use it to fill up the storage hosting the /var/lib/ directory if quotas are not properly set.

Alerts:
Scientific Linux SLSA-2015:2369-1 openhpi 2015-12-21
Oracle ELSA-2015-2369 openhpi 2015-11-23
Red Hat RHSA-2015:2369-01 openhpi 2015-11-19
Fedora FEDORA-2015-10944 openhpi 2015-10-07

Comments (none posted)

openjpeg2: use-after-free vulnerability

Package(s):openjpeg2 CVE #(s):CVE-2015-8871
Created:October 2, 2015 Updated:May 14, 2016
Description:

From the Red Hat bug report:

Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function.

'l_current_data' is set to 'p_j2k->m_specific_param.m_encoder.m_header_tile_data', 'p_j2k->m_specific_param.m_encoder.m_header_tile_data' is later used as arg of 'realloc' and can be freed depending on the length of 'l_mco_size', 'l_current_data' is later used and can point to a freed memory zone.

Alerts:
Debian DSA-3665-1 openjpeg2 2016-09-11
Fedora FEDORA-2016-14d8f9b4ed mingw-openjpeg2 2016-07-18
Fedora FEDORA-2016-8fa7ced365 mingw-openjpeg2 2016-07-18
Fedora FEDORA-2016-d2ab705e4a openjpeg2 2016-07-16
Fedora FEDORA-2016-abdc548f46 openjpeg2 2016-07-14
Gentoo 201612-26 openjpeg 2016-12-08
Fedora FEDORA-2015-15927 openjpeg2 2015-10-01
Fedora FEDORA-2015-15928 openjpeg2 2015-10-01

Comments (none posted)

openjpeg2: code execution

Package(s):openjpeg2 CVE #(s):CVE-2015-6581
Created:October 6, 2015 Updated:October 14, 2015
Description: From the CVE entry:

Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure.

Alerts:
Debian DSA-3665-1 openjpeg2 2016-09-11
Mageia MGASA-2015-0398 openjpeg2 2015-10-14
Fedora FEDORA-2015-1 openjpeg2 2015-10-13
Fedora FEDORA-2015-773 openjpeg2 2015-10-05

Comments (none posted)

python-PyJWT: privilege escalation

Package(s):python-PyJWT CVE #(s):
Created:October 1, 2015 Updated:October 7, 2015
Description: From the SUSE bugzilla entry:

Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/.

Alerts:
openSUSE openSUSE-SU-2015:1659-1 python-PyJWT 2015-10-01

Comments (none posted)

spice: multiple vulnerabilities

Package(s):spice CVE #(s):CVE-2015-5260 CVE-2015-5261
Created:October 7, 2015 Updated:October 13, 2015
Description: From the Ubuntu advisory:

Frediano Ziglio discovered multiple buffer overflows, undefined behavior signed integer operations, race conditions, memory leaks, and denial of service issues in Spice. A malicious guest operating system could potentially exploit these issues to escape virtualization. (CVE-2015-5260, CVE-2015-5261)

Alerts:
Gentoo 201606-05 spice 2016-06-16
Fedora FEDORA-2015-7fcc957ba6 spice-protocol 2015-11-01
Fedora FEDORA-2015-7fcc957ba6 spice-gtk 2015-11-01
Fedora FEDORA-2015-7fcc957ba6 spice 2015-11-01
Fedora FEDORA-2015-7fcc957ba6 mingw-spice-protocol 2015-11-01
Fedora FEDORA-2015-7fcc957ba6 mingw-spice-gtk 2015-11-01
Arch Linux ASA-201510-13 spice 2015-10-19
Scientific Linux SLSA-2015:1889-1 spice-server 2015-10-12
Scientific Linux SLSA-2015:1890-1 spice 2015-10-12
Oracle ELSA-2015-1889 spice-server 2015-10-12
Oracle ELSA-2015-1890 spice 2015-10-12
CentOS CESA-2015:1889 spice-server 2015-10-12
CentOS CESA-2015:1890 spice 2015-10-13
Red Hat RHSA-2015:1889-01 spice-server 2015-10-12
Red Hat RHSA-2015:1890-01 spice 2015-10-12
Mageia MGASA-2015-0394 spice 2015-10-09
Debian DSA-3371-1 spice 2015-10-09
Ubuntu USN-2766-1 spice 2015-10-06
openSUSE openSUSE-SU-2015:1750-1 spice 2015-10-15

Comments (none posted)

webkitgtk: code execution

Package(s):webkitgtk CVE #(s):
Created:October 6, 2015 Updated:October 7, 2015
Description: As described in the Red Hat bugzilla entry, Midori will crash on exit if it is set to clear private data.
Alerts:
Fedora FEDORA-2015-6999 webkitgtk3 2015-10-05
Fedora FEDORA-2015-360 webkitgtk3 2015-10-05
Fedora FEDORA-2015-6999 webkitgtk 2015-10-05
Fedora FEDORA-2015-360 webkitgtk 2015-10-05

Comments (none posted)

zendframework: SQL injection

Package(s):zendframework CVE #(s):CVE-2015-7695
Created:October 7, 2015 Updated:October 16, 2015
Description: From the Debian advisory:

Chris Kings-Lynne discovered an SQL injection vector caused by missing null byte filtering in the MS SQL PDO backend, and a similar issue was also found in the SQLite backend.

Alerts:
Debian-LTS DLA-326-1 zendframework 2015-10-15
Debian DSA-3369-1 zendframework 2015-10-06

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds