Developers behind the Web framework Django have pushed out a new build that fixes a handful of security issues, including a denial of service vulnerability in the framework’s password hasher.
Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 were released over the weekend and users are urged to upgrade immediately according to a blog post by Django developer James Bennett on Sunday.
The main problem with Django – versions 1.6, 1.5 and 1.4 are affected – lies in how it authenticates users and passwords. Django doesn’t store the raw password in its database, it stores a hashed version of it that is computed at each log-in attempt.
It was discovered recently however that attackers can repeatedly submit large passwords and overwhelm Django’s servers in “the expensive computation of the corresponding hashes.” According to Bennett, before this fix, Django didn’t impose a maximum when it came to plaintext password length. Attackers could submit ridiculously long, sure-to-fail passwords and in turn, the framework would have run a lengthy check to verify it.
Bennett notes that using its standard password hasher, PBKDF – part of RSA’s PKCS series, it would take Django about a minute to check a password one megabyte in size. The bigger the password, the longer system resources are tied up. With the new patch, Django fixes this flaw (CVE-2013-1443) and now fails authentication on any password submitted over 4096 bytes.
Bennett notes that for this fix, the developers had to issue and out-of-band patch of sorts. Usually security issues are reported via email but in this case, a third party publicly disclosed the flaw via Django’s developers mailing list. Since the flaw could have potentially impacted what they refer to as live deployments of the framework, the team was forced to issue a release outside of its usual schedule.
Django is an open source web framework, written in Python, that lets developers rapidly produce and maintain Web applications. The functionality is used, in varying extents, on social media sites like Pinterest, Instagram and in work done by the software company Mozilla, among others.
Per usual the Django fixes can be downloaded on Django’s download page and on Python’s package index page.