Django 1.3 and earlier are also affected, but the exposure is smaller. It was the speed of the PBKDF2 hashing function that revealed this problem, and that hasher was introduced in Django 1.4. In Django 1.3 or earlier, SHA1 was the default hashing function. As described in the release notes, SHA1 is a much faster hashing function, which means it's harder to manufacture an attack using this problem -- but it's still possible.
However, it's important to note that this isn't the only security vulnerability in Django that is unpatched in 1.3. Django 1.3 is *not supported*, and so all the recent security issues (XSS problems in URL and login redirect URLs, and directory traversal in the ssi tag) are also unpatched. Django 1.4 will be a long term support release for Django -- we're guaranteeing support 3 years from initial release -- so you'd be well advised to upgrade. Yours, Russ Magee %-) On Mon, Sep 16, 2013 at 1:15 AM, Nick Apostolakis <nicka...@oncrete.gr>wrote: > On 15/09/2013 03:50 μμ, Russell Keith-Magee wrote: > >> Hi Dig >> >> I'm not sure I understand your question. Both releases are security >> releases; both are available on pip. If you code is based on the 1.5 >> release of Django, you should now be running 1.5.4. >> >> Yours, >> Russ Magee %-) >> >> >> > Hello, is 1.3.x affected by this vulnerability? > > Thank you > > -- > ------------------------------**------------------------------**-- > Nick Apostolakis > Msc in IT, University of Glasgow > e-mail: nicka...@oncrete.gr > Web Site: http://nick.oncrete.gr > ------------------------------**------------------------------**-- > > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > django-users+unsubscribe@**googlegroups.com<django-users%2bunsubscr...@googlegroups.com> > . > To post to this group, send email to django-users@googlegroups.com. > Visit this group at > http://groups.google.com/**group/django-users<http://groups.google.com/group/django-users> > . > For more options, visit > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
