Hey all — It has come to our attention that there is a security issue in Pinax. We've tracked down how to reproduce it and who it affects. The original report that was publicly announced before it was brought to our attention stated that 0.7.X users are affected (this blog post has since been taken down). However, this is not true. Users of 0.5.X are the only ones affected directly. We've pushed a fix to 0.5.X [1] though we will not be issuing a new release (please consider upgrading to 0.7 to benefit from future releases). 0.5.X is end-of-life and we've modified our security release policy for 0.7/0.9.
Now, to explain the vulnerability. Pinax was setting the password of new users who signed in via OpenID to the literal string value "!". This results in the ability to login to accounts that created accounts with OpenID with the ! password. We recommend you run SQL such as: UPDATE auth_user SET password = '!' WHERE password = 'sha1$de611$602cbea929cc855d56d9dc3a23c5bbea09c3db66'; Users who did set their password to ! will be locked out of their account. Perhaps that is a lesson they've learned ;-) [1]: http://github.com/pinax/pinax/commit/35c5f739e9f1ac5aed66e7c8b435e1aaa5b8ea6b --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Pinax Core Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pinax-core-dev?hl=en -~----------~----~----~----~------~----~------~--~---
