ALAS-2014-425


Amazon Linux AMI Security Advisory: ALAS-2014-425
Advisory Release Date: 2014-10-14 12:30 Pacific
Severity: Medium

Issue Overview:

The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.

The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.


Affected Packages:

python-oauth2


Issue Correction:
Run yum update python-oauth2 to update your system.

New Packages:
noarch:
    python-oauth2-1.5.211-7.1.amzn1.noarch

src:
    python-oauth2-1.5.211-7.1.amzn1.src