Ubuntu
python-django package

CVE-2013-1443 denial-of-service via large passwords

Bug #1225784 reported by Chris Johnston on 2013-09-15

262

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	python-django (Ubuntu)	Fix Released	Undecided	Unassigned
	Precise	Fix Released	Undecided	Unassigned
	Quantal	Fix Released	Undecided	Unassigned
	Raring	Fix Released	Undecided	Unassigned

Bug Description

https://www.djangoproject.com/weblog/2013/sep/15/security/

"Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.

This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes."

Tags:

Related branches

lp:ubuntu/lucid-security/python-django

lp:ubuntu/lucid-updates/python-django

lp:ubuntu/precise-security/python-django

lp:ubuntu/precise-updates/python-django

lp:ubuntu/quantal-security/python-django

lp:ubuntu/raring-security/python-django

CVE References

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2013-09-18:

#1

For Raring, you should be able to just sync from Debian stable-security:

http://ftp-master.metadata.debian.org/changelogs/main/p/python-django/python-django_1.4.5-1+deb7u4_changelog

tags:

added: precise quantal raring sync

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-09-19:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-django (Ubuntu Precise):
status:	New → Confirmed
Changed in python-django (Ubuntu Quantal):
status:	New → Confirmed
Changed in python-django (Ubuntu Raring):
status:	New → Confirmed
Changed in python-django (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-09-24:

#6

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.9

---------------
python-django (1.1.1-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
    - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
      in django/contrib/auth/forms.py, django/contrib/auth/models.py,
      django/contrib/auth/tests/basic.py.
    - CVE-2013-1443
  * SECURITY UPDATE: directory traversal with ssi template tag
    - debian/patches/CVE-2013-4315.patch: properly check absolute path in
      django/template/defaulttags.py,
      tests/regressiontests/templates/tests.py,
      tests/regressiontests/templates/templates/*.
    - CVE-2013-4315
  * SECURITY UPDATE: possible XSS via is_safe_url
    - debian/patches/security-is_safe_url.patch: properly reject URLs which
      specify a scheme other then HTTP or HTTPS.
    - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
    - No CVE number
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:33:23 -0400

Changed in python-django (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-09-24:

#7

This bug was fixed in the package python-django - 1.4.5-1ubuntu0.1

---------------
python-django (1.4.5-1ubuntu0.1) raring-security; urgency=low

  * SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
    - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
      in django/contrib/auth/forms.py, django/contrib/auth/hashers.py,
      django/contrib/auth/tests/hashers.py.
    - CVE-2013-1443
  * SECURITY UPDATE: directory traversal with ssi template tag
    - debian/patches/CVE-2013-4315.patch: properly check absolute path in
      django/template/defaulttags.py,
      tests/regressiontests/templates/tests.py.
    - CVE-2013-4315
  * SECURITY UPDATE: possible XSS via is_safe_url
    - debian/patches/security-is_safe_url.patch: properly reject URLs which
      specify a scheme other then HTTP or HTTPS.
    - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
    - No CVE number
  * debian/patches/fix-validation-tests.patch: fix regression in tests
    since example.com is now available via https.
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 08:48:09 -0400

Changed in python-django (Ubuntu Raring):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-09-24:

#8

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.4

---------------
python-django (1.4.1-2ubuntu0.4) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
    - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
      in django/contrib/auth/forms.py, django/contrib/auth/hashers.py,
      django/contrib/auth/tests/hashers.py.
    - CVE-2013-1443
  * SECURITY UPDATE: directory traversal with ssi template tag
    - debian/patches/CVE-2013-4315.patch: properly check absolute path in
      django/template/defaulttags.py,
      tests/regressiontests/templates/tests.py.
    - CVE-2013-4315
  * SECURITY UPDATE: possible XSS via is_safe_url
    - debian/patches/security-is_safe_url.patch: properly reject URLs which
      specify a scheme other then HTTP or HTTPS.
    - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
    - No CVE number
  * debian/patches/fix-validation-tests.patch: fix regression in tests
    since example.com is now available via https.
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:05:04 -0400

Changed in python-django (Ubuntu Quantal):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-09-24:

#9

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.8

---------------
python-django (1.3.1-4ubuntu1.8) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via long passwords (LP: #1225784)
    - debian/patches/CVE-2013-1443.patch: enforce a maximum password length
      in django/contrib/auth/forms.py, django/contrib/auth/models.py,
      django/contrib/auth/tests/basic.py.
    - CVE-2013-1443
  * SECURITY UPDATE: directory traversal with ssi template tag
    - debian/patches/CVE-2013-4315.patch: properly check absolute path in
      django/template/defaulttags.py,
      tests/regressiontests/templates/tests.py.
    - CVE-2013-4315
  * SECURITY UPDATE: possible XSS via is_safe_url
    - debian/patches/security-is_safe_url.patch: properly reject URLs which
      specify a scheme other then HTTP or HTTPS.
    - https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
    - No CVE number
-- Marc Deslauriers <email address hidden> Fri, 20 Sep 2013 09:20:38 -0400

Changed in python-django (Ubuntu Precise):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.