On 16/09/2013 02:45 πμ, Russell Keith-Magee wrote:
Django 1.3 and earlier are also affected, but the exposure is smaller. It
was the speed of the PBKDF2 hashing function that revealed this problem,
and that hasher was introduced in Django 1.4. In Django 1.3 or earlier,
SHA1 was the default hashing function. As described in the release notes,
SHA1 is a much faster hashing function, which means it's harder to
manufacture an attack using this problem -- but it's still possible.
However, it's important to note that this isn't the only security
vulnerability in Django that is unpatched in 1.3. Django 1.3 is *not
supported*, and so all the recent security issues (XSS problems in URL and
login redirect URLs, and directory traversal in the ssi tag) are also
unpatched.
Django 1.4 will be a long term support release for Django -- we're
guaranteeing support 3 years from initial release -- so you'd be well
advised to upgrade.
Yours,
Russ Magee %-)
Of course, you are right, I intend to upgrade, unfortunately some of the
plugins I use, do not support newer versions of django so I will have to
find a solution for that too.
Thanks a lot for your answer
--
--------------------------------------------------------------
Nick Apostolakis
Msc in IT, University of Glasgow
e-mail: nicka...@oncrete.gr
Web Site: http://nick.oncrete.gr
--------------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
