Source: python-websockets Version: 8.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-websockets. CVE-2021-33880[0]: | The aaugustin websockets library before 9.1 for Python has an | Observable Timing Discrepancy on servers when HTTP Basic | Authentication is enabled with | basic_auth_protocol_factory(credentials=...). An attacker may be able | to guess a password via a timing attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33880 [1] https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0 Regards, Salvatore
