A Small Orange Affiliate Program: What Are DirectLink URLS?
Complimentary Upgrades for ASO Cloud Customers

Django Security Updates CVE-2013-1443: 1.4.8 & 1.5.8

django-logo-positive.png A denial of service vulnerability was recently discovered and patched in Django version 1.4, 1.5 and the 1.6 beta. We have upgraded the globally installed versions of Django 1.4 and 1.5 to versions 1.4.8 and 1.5.4 respectively to mitigate this issue for customers relying on our servers' installations of Django. The default authentication system in Django uses the PBKDF2 function for hashing passwords, a strong processor intensive hashing method designed to make brute-force cracking of passwords very difficult.

However, when supplied with a long enough of password, the resource intensive nature of the hashing can create a denial of service. This security update simply limits passwords to no more than 4096 bytes to eliminate that issue. The Django team maintains API compatibility across minor versions, so this upgrade should be transparent to your applications. Users relying on virtualenv or simply installing and loading packages from the cPanel user's local site-packages folder will have to handle upgrading Django on their own.  In either situation, you should be able to complete the upgrades in your virtualenv as follows:

pip install --user Django==1.4.8

Or

pip install --user Django==1.5.4

We will evaluate impact of this upgrade in the coming days and if appropriate we will provide a followup post regarding updating all user installed versions of Django. However, at this time we do not feel that is warranted and as such we have limited the scope of the update to the globally installed versions of Django on our servers. For more information about the vulnerability, please visit https://www.djangoproject.com/weblog/2013/sep/15/security/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1443

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)