[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt

Tyler Hicks tyhicks at canonical.com
Wed Jul 26 00:15:03 UTC 2017 

Hello! This is a very accelerated security review of python-bcrypt. I
didn't look at the bcrypt implementation itself but did verify that the
test vectors used have overlap with Openwall's crypt_blowfish test
vectors:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/wrapper.c?rev=HEAD

I've also previously reviewed python-bcrypt here:

 https://bugs.launchpad.net/ubuntu/+source/python-
bcrypt/+bug/1427861/comments/1

Considering that I've previously reviewed the project, the test vectors
are now more aligned with Openwall's test vectors, and the fact that
this package was not a large maintenance burden while it was previously
in main, Security Team ack for python-bcrypt.

** Changed in: python-bcrypt (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: python-scrypt (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-scrypt in Ubuntu.
https://bugs.launchpad.net/bugs/1695899

Title:
  [MIR] python-scrypt, python-bcrypt

Status in python-bcrypt package in Ubuntu:
  New
Status in python-scrypt package in Ubuntu:
  New

Bug description:
  >python-scrypt<
  [Availability]
  In universe

  [Rationale]
  keystone: Support new hashing algorithms for securely storing password hashes

  [Security]

  [Quality assurance]
  Package has not been well maintained in Debian; Python 3 support and new upstream release + misc package polish applied in Ubuntu.

  Package runs test suite for all python versions as part of build.

  [Dependencies]
  In main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  >python-bcrypt<
  [Availability]
  In universe

  [Rationale]
  keystone: Support new hashing algorithms for securely storing password hashes

  [Security]

  [Quality assurance]
  Package well maintained in Debian; Minor point release in Ubuntu over Debian unstable.

  Package runs test suite for all python versions as part of build.

  [Dependencies]
  In main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list