Force all uses of random to use SystemRandom and abort if pseudorandom random.Random would be used rather than Random.SystemRandom. random.Random is returning the same value time after time. Even when being seeded after instantiation, calls to the random.random() function return the same value like it's not advanceing the state of the generator. So "fix" is to force use of system random generator to generate: one time keys for password reset (action.py) random passwords when resetting passwords (password.py) serial number for auto ssl cert generation (roundup_server.py) Message-ID's in email: mailgw.py, client.py anti-csrf nonces (templating.py)

--- a/roundup/cgi/client.py	Thu Jul 05 22:48:50 2018 -0400
+++ b/roundup/cgi/client.py	Sat Jul 07 22:02:41 2018 -0400
@@ -17,7 +17,9 @@
     random=SystemRandom()
     logger.debug("Importing good random generator")
 except ImportError:
-    from random import random
+    raise
+    from random import Random
+    random=Random()
     logger.warning("**SystemRandom not available. Using poor random generator")
 
 try: