The default quickstart configuration of TurboGears2 (aka tg2) before 2.0.2 has a weak cookie salt, which makes it easier for remote attackers to bypass repoze.who authentication via a forged authorization cookie, a related issue to CVE-2010-3852.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Turbogears2 | Turbogears | * | 2.1b2 (including) |
| Turbogears2 | Turbogears | 1.9.7a2 (including) | 1.9.7a2 (including) |
| Turbogears2 | Turbogears | 1.9.7a3 (including) | 1.9.7a3 (including) |
| Turbogears2 | Turbogears | 1.9.7a4 (including) | 1.9.7a4 (including) |
| Turbogears2 | Turbogears | 1.9.7b1 (including) | 1.9.7b1 (including) |
| Turbogears2 | Turbogears | 1.9.7b2 (including) | 1.9.7b2 (including) |
| Turbogears2 | Turbogears | 2.0-rc1 (including) | 2.0-rc1 (including) |
| Turbogears2 | Turbogears | 2.0.1 (including) | 2.0.1 (including) |
| Turbogears2 | Turbogears | 2.0b1 (including) | 2.0b1 (including) |
| Turbogears2 | Turbogears | 2.0b2 (including) | 2.0b2 (including) |
| Turbogears2 | Turbogears | 2.0b3 (including) | 2.0b3 (including) |
| Turbogears2 | Turbogears | 2.0b4 (including) | 2.0b4 (including) |
| Turbogears2 | Turbogears | 2.0b5 (including) | 2.0b5 (including) |
| Turbogears2 | Turbogears | 2.0b6 (including) | 2.0b6 (including) |
| Turbogears2 | Turbogears | 2.0b7 (including) | 2.0b7 (including) |
| Turbogears2 | Turbogears | 2.1a1 (including) | 2.1a1 (including) |
| Turbogears2 | Turbogears | 2.1a2 (including) | 2.1a2 (including) |
| Turbogears2 | Turbogears | 2.1a3 (including) | 2.1a3 (including) |
| Turbogears2 | Turbogears | 2.1b1 (including) | 2.1b1 (including) |
| Turbogears2 | Ubuntu | upstream | * |