subject:"\[ANNOUNCE\] Security releases issued \-\- vulnerability in the wild"

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Nick Apostolakis


On 16/09/2013 02:45 πμ, Russell Keith-Magee wrote:

Django 1.3 and earlier are also affected, but the exposure is smaller. It
was the speed of the PBKDF2 hashing function that revealed this problem,
and that hasher was introduced in Django 1.4. In Django 1.3 or earlier,
SHA1 was the default hashing function. As described in the release notes,
SHA1 is a much faster hashing function, which means it's harder to
manufacture an attack using this problem -- but it's still possible.

However, it's important to note that this isn't the only security
vulnerability in Django that is unpatched in 1.3. Django 1.3 is *not
supported*, and so all the recent security issues (XSS problems in URL and
login redirect URLs, and directory traversal in the ssi tag) are also
unpatched.

Django 1.4 will be a long term support release for Django -- we're
guaranteeing support 3 years from initial release -- so you'd be well
advised to upgrade.

Yours,
Russ Magee %-)



Of course, you are right, I intend to upgrade, unfortunately some of the 
plugins I use, do not support newer versions of django so I will have to 
find a solution for that too.


Thanks a lot for your answer

--
 --
 Nick Apostolakis
 Msc in IT, University of Glasgow
 e-mail: nicka...@oncrete.gr
 Web Site: http://nick.oncrete.gr
 --

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Russell Keith-Magee

Django 1.3 and earlier are also affected, but the exposure is smaller. It
was the speed of the PBKDF2 hashing function that revealed this problem,
and that hasher was introduced in Django 1.4. In Django 1.3 or earlier,
SHA1 was the default hashing function. As described in the release notes,
SHA1 is a much faster hashing function, which means it's harder to
manufacture an attack using this problem -- but it's still possible.

However, it's important to note that this isn't the only security
vulnerability in Django that is unpatched in 1.3. Django 1.3 is *not
supported*, and so all the recent security issues (XSS problems in URL and
login redirect URLs, and directory traversal in the ssi tag) are also
unpatched.

Django 1.4 will be a long term support release for Django -- we're
guaranteeing support 3 years from initial release -- so you'd be well
advised to upgrade.

Yours,
Russ Magee %-)

On Mon, Sep 16, 2013 at 1:15 AM, Nick Apostolakis wrote:

> On 15/09/2013 03:50 μμ, Russell Keith-Magee wrote:
>
>> Hi Dig
>>
>> I'm not sure I understand your question. Both releases are security
>> releases; both are available on pip. If you code is based on the 1.5
>> release of Django, you should now be running 1.5.4.
>>
>> Yours,
>> Russ Magee %-)
>>
>>
>>
> Hello, is 1.3.x affected by this vulnerability?
>
> Thank you
>
> --
>  --**--**--
>  Nick Apostolakis
>  Msc in IT, University of Glasgow
>  e-mail: nicka...@oncrete.gr
>  Web Site: http://nick.oncrete.gr
>  --**--**--
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to 
> django-users+unsubscribe@**googlegroups.com
> .
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at 
> http://groups.google.com/**group/django-users
> .
> For more options, visit 
> https://groups.google.com/**groups/opt_out
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Nick Apostolakis


On 15/09/2013 03:50 μμ, Russell Keith-Magee wrote:

Hi Dig

I'm not sure I understand your question. Both releases are security
releases; both are available on pip. If you code is based on the 1.5
release of Django, you should now be running 1.5.4.

Yours,
Russ Magee %-)




Hello, is 1.3.x affected by this vulnerability?

Thank you

--
 --
 Nick Apostolakis
 Msc in IT, University of Glasgow
 e-mail: nicka...@oncrete.gr
 Web Site: http://nick.oncrete.gr
 --

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Dig

Hi Russell,

  Got it, and thanks. We will update to 1.5.4 in this week.

Regards,
Dig
On Sep 15, 2013 8:51 PM, "Russell Keith-Magee" 
wrote:

> Hi Dig
>
> I'm not sure I understand your question. Both releases are security
> releases; both are available on pip. If you code is based on the 1.5
> release of Django, you should now be running 1.5.4.
>
> Yours,
> Russ Magee %-)
>
> On Sunday, September 15, 2013, Dig wrote:
>
>> And how about 1.5.3 which is announced a few days ago?
>> On Sep 15, 2013 5:14 PM, "Rahul Gaur"  wrote:
>>
>>> Hi ,
>>>  I am using django==1.4.8 for my project , these new fixes are available
>>> with pip  yet or we need to install the latest build manually ?
>>>
>>> Regards,
>>> Rahul
>>>
>>>
>>> On Sun, Sep 15, 2013 at 12:18 PM, James Bennett 
>>> wrote:
>>>
 Earlier today a message posted to the django-developers mailing list
 publicly disclosed what was later determined to be an exploitable security
 issue in Django.

 As such, we have short-circuited our normal one-week process and moved
 to immediately issuing new releases to remedy the problem.

 Full details are available from the blog:

 https://www.djangoproject.com/weblog/2013/sep/15/security/

 All users of Django are urged to upgrade immediately.

 --
 You received this message because you are subscribed to the Google
 Groups "Django users" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to django-users+unsubscr...@googlegroups.com.
 To post to this group, send email to django-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/django-users.
 For more options, visit https://groups.google.com/groups/opt_out.

>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> Rahul Gaur
>>> irc : iamaregee2
>>> Web: http://www.rahulgaur.info
>>> Github: https://github.com/aregee
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users+unsubscr...@googlegroups.com.
>>> To post to this group, send email to django-users@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/django-users.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Russell Keith-Magee

Hi Dig

I'm not sure I understand your question. Both releases are security
releases; both are available on pip. If you code is based on the 1.5
release of Django, you should now be running 1.5.4.

Yours,
Russ Magee %-)

On Sunday, September 15, 2013, Dig wrote:

> And how about 1.5.3 which is announced a few days ago?
> On Sep 15, 2013 5:14 PM, "Rahul Gaur"  'cvml', 'rahul@gmail.com');>>
> wrote:
>
>> Hi ,
>>  I am using django==1.4.8 for my project , these new fixes are available
>> with pip  yet or we need to install the latest build manually ?
>>
>> Regards,
>> Rahul
>>
>>
>> On Sun, Sep 15, 2013 at 12:18 PM, James Bennett 
>> 
>> > wrote:
>>
>>> Earlier today a message posted to the django-developers mailing list
>>> publicly disclosed what was later determined to be an exploitable security
>>> issue in Django.
>>>
>>> As such, we have short-circuited our normal one-week process and moved
>>> to immediately issuing new releases to remedy the problem.
>>>
>>> Full details are available from the blog:
>>>
>>> https://www.djangoproject.com/weblog/2013/sep/15/security/
>>>
>>> All users of Django are urged to upgrade immediately.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users+unsubscr...@googlegroups.com>> 'cvml', 'django-users%2bunsubscr...@googlegroups.com');>
>>> .
>>> To post to this group, send email to 
>>> django-users@googlegroups.com>> 'django-users@googlegroups.com');>
>>> .
>>> Visit this group at http://groups.google.com/group/django-users.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>
>>
>>
>> --
>>
>> ---
>> Rahul Gaur
>> irc : iamaregee2
>> Web: http://www.rahulgaur.info
>> Github: https://github.com/aregee
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com > 'cvml', 'django-users%2bunsubscr...@googlegroups.com');>.
>> To post to this group, send email to 
>> django-users@googlegroups.com> 'django-users@googlegroups.com');>
>> .
>> Visit this group at http://groups.google.com/group/django-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com  'cvml', 'django-users%2bunsubscr...@googlegroups.com');>.
> To post to this group, send email to 
> django-users@googlegroups.com 'django-users@googlegroups.com');>
> .
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Dig

And how about 1.5.3 which is announced a few days ago?
On Sep 15, 2013 5:14 PM, "Rahul Gaur"  wrote:

> Hi ,
>  I am using django==1.4.8 for my project , these new fixes are available
> with pip  yet or we need to install the latest build manually ?
>
> Regards,
> Rahul
>
>
> On Sun, Sep 15, 2013 at 12:18 PM, James Bennett wrote:
>
>> Earlier today a message posted to the django-developers mailing list
>> publicly disclosed what was later determined to be an exploitable security
>> issue in Django.
>>
>> As such, we have short-circuited our normal one-week process and moved to
>> immediately issuing new releases to remedy the problem.
>>
>> Full details are available from the blog:
>>
>> https://www.djangoproject.com/weblog/2013/sep/15/security/
>>
>> All users of Django are urged to upgrade immediately.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
>
> ---
> Rahul Gaur
> irc : iamaregee2
> Web: http://www.rahulgaur.info
> Github: https://github.com/aregee
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Gladson Simplício Brito

https://pypi.python.org/pypi/Django


2013/9/15 Rahul Gaur 

> Hi ,
>  I am using django==1.4.8 for my project , these new fixes are available
> with pip  yet or we need to install the latest build manually ?
>
> Regards,
> Rahul
>
>
> On Sun, Sep 15, 2013 at 12:18 PM, James Bennett wrote:
>
>> Earlier today a message posted to the django-developers mailing list
>> publicly disclosed what was later determined to be an exploitable security
>> issue in Django.
>>
>> As such, we have short-circuited our normal one-week process and moved to
>> immediately issuing new releases to remedy the problem.
>>
>> Full details are available from the blog:
>>
>> https://www.djangoproject.com/weblog/2013/sep/15/security/
>>
>> All users of Django are urged to upgrade immediately.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
>
> ---
> Rahul Gaur
> irc : iamaregee2
> Web: http://www.rahulgaur.info
> Github: https://github.com/aregee
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread Rahul Gaur

Hi ,
 I am using django==1.4.8 for my project , these new fixes are available
with pip  yet or we need to install the latest build manually ?

Regards,
Rahul


On Sun, Sep 15, 2013 at 12:18 PM, James Bennett wrote:

> Earlier today a message posted to the django-developers mailing list
> publicly disclosed what was later determined to be an exploitable security
> issue in Django.
>
> As such, we have short-circuited our normal one-week process and moved to
> immediately issuing new releases to remedy the problem.
>
> Full details are available from the blog:
>
> https://www.djangoproject.com/weblog/2013/sep/15/security/
>
> All users of Django are urged to upgrade immediately.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>



-- 
---
Rahul Gaur
irc : iamaregee2
Web: http://www.rahulgaur.info
Github: https://github.com/aregee

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

[ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread James Bennett

Earlier today a message posted to the django-developers mailing list
publicly disclosed what was later determined to be an exploitable security
issue in Django.

As such, we have short-circuited our normal one-week process and moved to
immediately issuing new releases to remedy the problem.

Full details are available from the blog:

https://www.djangoproject.com/weblog/2013/sep/15/security/

All users of Django are urged to upgrade immediately.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [django-announce] [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

Re: [ANNOUNCE] Security releases issued -- vulnerability in the wild

[ANNOUNCE] Security releases issued -- vulnerability in the wild

9 matches

Site Navigation

Mail list logo

Footer information