A denial of service vulnerability was recently discovered and patched in Django version 1.4, 1.5 and the 1.6 beta. We have upgraded the globally installed versions of Django 1.4 and 1.5 to versions 1.4.8 and 1.5.4 respectively to mitigate this issue for customers relying on our servers’ installations of Django.
The default authentication system in Django uses the PBKDF2 function for hashing passwords, a strong processor intensive hashing method designed to make brute-force cracking of passwords very difficult. However, when supplied with a long enough of password, the resource intensive nature of the hashing can create a denial of service. This security update simply limits passwords to no more than 4096 bytes to eliminate that issue.
The Django team maintains API compatibility across minor versions, so this upgrade should be transparent to your applications. Users relying on virtualenv or simply installing and loading packages from the cPanel user’s local site-packages folder will have to handle upgrading Django on their own. In either situation, you should be able to complete the upgrades in your virtualenv as follows:
pip install --user Django==1.4.8
pip install --user Django==1.5.4
We will evaluate impact of this upgrade in the coming days and if appropriate we will provide a followup post regarding updating all user installed versions of Django. However, at this time we do not feel that is warranted and as such we have limited the scope of the update to the globally installed versions of Django on our servers.
For more information about the vulnerability, please visit