ArchLinux: 202106-26: python-websockets: private key recovery
Summary
The aaugustin websockets library before 9.1 for Python has an observable timing discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.
Resolution
Upgrade to 9.1-1.
# pacman -Syu "python-websockets>=9.1-1"
The problem has been fixed upstream in version 9.1.
References
https://github.com/python-websockets/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0 https://security.archlinux.org/CVE-2021-33880
Workaround
None.