Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On Thu, 30 Aug 2012, Winfried Tilanus wrote: The SHA1 hashes used in python-django-registration are publicly visible. An attack against the SHA1 in python-django-registration would not need a compromise of the database first, but can be performed against openly available data. What openly

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On 08/31/2012 08:41 AM, Raphael Hertzog wrote: What openly available data are you referring to? The hash calculated in django-registration is send out to people registering a new account, as part of the url to click on when confirming the registration of a new account. It is used as identifier

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On Fri, 31 Aug 2012, Winfried Tilanus wrote: On 08/31/2012 08:41 AM, Raphael Hertzog wrote: What openly available data are you referring to? The hash calculated in django-registration is send out to people registering a new account, as part of the url to click on when confirming the

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On 08/31/2012 09:59 AM, Raphael Hertzog wrote: Hi, (I hope you are still patient with me.) It is hard to judge how severe the use of SHA1 in django-registration 0.7.1 is. I think we can go endlessly here. (What if an attacker requests 2 accounts: one on a valid e-mail address and one on a

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

Hi, On Fri, 31 Aug 2012, Winfried Tilanus wrote: So lets get back to the original issue: the changelog mentions fixed compatibility issues with Django 1.4: https://bitbucket.org/ubernostrum/django-registration/src/2d6fcc0c55d0/CHANGELOG It is for sure referring to this commit:

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

IMHO the use of SHA1 in python-django-registration 0.7.2 is a security issue waiting to happen. The SHA1 hashes used in python-django-registration are publicly visible. An attack against the SHA1 in python-django-registration would not need a compromise of the database first, but can be performed

Bug#686104: python-django-registration: Not compatible with Django 1.4.

Op 29-08-12 21:50, Raphael Hertzog schreef: Version: 0.8-1 On Tue, 28 Aug 2012, Paul van der Vlis wrote: Uses only sha1 for passwords, Django 1.4 uses PBKDF2 by default for passwords. The sha-module is deprecated. Can you explain a bit more clearly how it breaks and the consequences of

Bug#686104: python-django-registration: Not compatible with Django 1.4.

Package: python-django-registration Version: 0.7-2 Severity: grave Justification: renders package unusable Uses only sha1 for passwords, Django 1.4 uses PBKDF2 by default for passwords. The sha-module is deprecated. It would be good to upgrade to python-django-registration 0.8 what's in Sid, but