*** This bug is a security vulnerability *** Public security bug reported:
https://www.djangoproject.com/weblog/2013/sep/15/security/ "Django does not impose any maximum on the length of the plaintext password, meaning that an attacker can simply submit arbitrarily large -- and guaranteed-to-fail -- passwords, forcing a server running Django to perform the resulting expensive hash computation in an attempt to check the password. A password one megabyte in size, for example, will require roughly one minute of computation to check when using the PBKDF2 hasher. This allows for denial-of-service attacks through repeated submission of large passwords, tying up server resources in the expensive computation of the corresponding hashes." ** Affects: python-django (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1225784 Title: CVE-2013-1443 denial-of-service via large passwords To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1225784/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
