-
Notifications
You must be signed in to change notification settings - Fork 5.5k
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publish_session does not update the encryption key #11493
Comments
jcsp
pushed a commit
to jcsp/salt
that referenced
this issue
Mar 25, 2014
crypt.dropfile was failing to emplace the .dfn file when user was None, as is the case in the periodic call based on the publish_session config setting.
Please consider this for backport as it is security related. |
thatch45
added a commit
that referenced
this issue
Mar 25, 2014
basepi
pushed a commit
that referenced
this issue
Apr 4, 2014
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following commit broke publish_session:
Specifically, in crypt.dropfile:
The shutil.move is inside the "if user" conditional. User is None when dropfile is used the call from master.py, so the .dfnt file is written but never renamed to .dfn, so the master never sees it and the key never gets updated.
This is an indirect security bug, if a deployment is relying on publish_session to increase the difficulty of attacks.
The text was updated successfully, but these errors were encountered: