CVE-2013-1443 denial-of-service via large passwords
Bug #1225784 reported by
Chris Johnston
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
https:/
"Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher.
This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes."
To post a comment you must log in.
For Raring, you should be able to just sync from Debian stable-security:
http:// ftp-master. metadata. debian. org/changelogs/ main/p/ python- django/ python- django_ 1.4.5-1+ deb7u4_ changelog