Candidate: CVE-2013-1895
PublicDate: 2020-01-28 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1895
Description:
 The py-bcrypt module before 0.3 for Python does not properly handle
 concurrent memory access, which allows attackers to bypass authentication
 via multiple authentication requests, which trigger the password hash to be
 overwritten.
Ubuntu-Description:
Notes:
 mdeslaur> lucid and precise aren't vulnerable as v0.1 did not release the
 mdeslaur> GIL.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704030
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_python-bcrypt:
 upstream: https://code.google.com/p/py-bcrypt/source/detail?r=3bc365ff43736d26ff37e9f2a4084f37b381b569
upstream_python-bcrypt: released (0.3)
hardy_python-bcrypt: DNE
lucid_python-bcrypt: not-affected (0.1-1build1)
oneiric_python-bcrypt: ignored (reached end-of-life)
precise_python-bcrypt: not-affected (0.1-1build2)
quantal_python-bcrypt: ignored (reached end-of-life)
raring_python-bcrypt: ignored (reached end-of-life)
saucy_python-bcrypt: ignored (reached end-of-life)
trusty_python-bcrypt: not-affected (0.4-1)
trusty/esm_python-bcrypt: DNE (trusty was not-affected [0.4-1])
devel_python-bcrypt: not-affected (0.4-1)