Thanks Massimo On Sunday, September 15, 2013 11:13:21 AM UTC-6, Massimo Di Pierro wrote: > > This is very similar to 2.6.1 but fixes some problem with a missing admin > file (also fixed in 2.6.2) and a potential DoS security issue. > > The issue was first discovered in Django > https://www.djangoproject.com/weblog/2013/sep/15/security/ > We thank them for discovering and reporting it. > > In web2py 2.5.x and earlier we suffer from the same problem. This is > because while the default password validator checks for length, the check > is performed after hashing, before inserting the hashed password in > database. In 2.6.1/2 we have a different implementation of the hashing > algorithm and we do not know how severe the problem is. > > In any case 2.6.3 fixes the problem by truncating the password to 1024 > chars when passed to the CRYPT validator. > > You should upgrade. > > Massimo >
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
