Back to bug 1311438
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Adam Mariš | 2016-02-24 09:25:17 UTC | CC | security-response-team | |
| Red Hat Bugzilla | 2016-02-24 09:25:17 UTC | Doc Type | --- | Bug Fix |
| Adam Mariš | 2016-02-24 09:33:45 UTC | Blocks | 1311442 | |
| Adam Mariš | 2016-03-04 16:05:48 UTC | Summary | EMBARGOED CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade | CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade |
| Adam Mariš | 2016-03-04 16:05:56 UTC | Group | security, qe_staff | |
| Adam Mariš | 2016-03-04 16:07:02 UTC | Depends On | 1314827 | |
| Adam Mariš | 2016-03-04 16:07:15 UTC | Depends On | 1314828 | |
| Adam Mariš | 2016-03-04 16:07:29 UTC | Depends On | 1314830 | |
| Adam Mariš | 2016-03-04 16:07:37 UTC | Depends On | 1314831 | |
| Adam Mariš | 2016-03-04 16:07:48 UTC | Depends On | 1314832 | |
| Adam Mariš | 2016-03-07 09:18:49 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Adam Mariš | 2016-03-07 09:21:43 UTC | Depends On | 1315210 | |
| Adam Mariš | 2016-03-07 09:21:54 UTC | Depends On | 1315212 | |
| Adam Mariš | 2016-03-07 09:22:08 UTC | Depends On | 1315214 | |
| Adam Mariš | 2016-03-07 09:22:19 UTC | Depends On | 1315215 | |
| Adam Mariš | 2016-03-07 09:22:33 UTC | Depends On | 1315216 | |
| Adam Mariš | 2016-03-07 09:28:46 UTC | Depends On | 1315219 | |
| Adam Mariš | 2016-03-07 09:28:56 UTC | Depends On | 1315220 | |
| Summer Long | 2016-03-08 05:41:53 UTC | CC | slong | |
| Summer Long | 2016-03-11 00:49:14 UTC | Doc Text | A timing flaw was discovered in Django. In each major version of Django since 1.6, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has been increased to improve security. The issue arose because the password of a user who had not logged in since the iterations were increased was encoded using an older number of iterations, which created a timing difference between login requests. This issue only affected users who have not logged in since the iterations increase. The first time a user logged in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. Note: If there are different password hashes in the database (such as SHA1 hashes from users who have not logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users may be even greater. This fix does not remedy that difference (or any difference when changing hashers). |
|
| Summer Long | 2016-03-21 23:08:13 UTC | Doc Text | A timing flaw was discovered in Django. In each major version of Django since 1.6, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has been increased to improve security. The issue arose because the password of a user who had not logged in since the iterations were increased was encoded using an older number of iterations, which created a timing difference between login requests. This issue only affected users who have not logged in since the iterations increase. The first time a user logged in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. Note: If there are different password hashes in the database (such as SHA1 hashes from users who have not logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users may be even greater. This fix does not remedy that difference (or any difference when changing hashers). | A timing flaw was discovered in Django. In each major version of Django since 1.6, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has been increased to improve security. The issue arose because the password of a user who had not logged in since the iterations were increased was encoded using an older number of iterations, which created a timing difference between login requests. This issue only affected users who have not logged in since the iterations increase. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. Note: If there are different password hashes in the database (such as SHA1 hashes from users who have not logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users can be even greater. This fix does not remedy that difference (or any difference when changing hashers). |
| Martin Prpič | 2016-03-22 10:24:17 UTC | Doc Text | A timing flaw was discovered in Django. In each major version of Django since 1.6, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has been increased to improve security. The issue arose because the password of a user who had not logged in since the iterations were increased was encoded using an older number of iterations, which created a timing difference between login requests. This issue only affected users who have not logged in since the iterations increase. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. Note: If there are different password hashes in the database (such as SHA1 hashes from users who have not logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users can be even greater. This fix does not remedy that difference (or any difference when changing hashers). | A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. |
| Siddharth Sharma | 2016-03-22 11:33:29 UTC | CC | sisharma | |
| Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=affected,ceph-1.3/Django=affected,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | ||
| Summer Long | 2016-04-08 05:48:39 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-04-08 01:48:39 UTC | |||
| Summer Long | 2016-04-08 05:53:46 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=affected,openstack-8-optools/python-django=affected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Perry Myers | 2016-04-27 03:55:36 UTC | CC | pmyers | |
| Joshua Padman | 2018-09-24 02:02:25 UTC | CC | jjoyce, kbasil, mburns, slinaber | |
| Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=wontfix,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | ||
| Joshua Padman | 2018-09-24 04:01:25 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=wontfix,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
| Product Security DevOps Team | 2019-09-29 13:44:17 UTC | Whiteboard | impact=moderate,public=20160301,reported=20160223,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,cwe=CWE-385,openstack-5-rhel6/python-django=affected,openstack-5-rhel7/python-django=affected,openstack-6/python-django=affected,openstack-7/python-django=affected,openstack-7-optools/python-django=affected,openstack-8/python-django=notaffected,openstack-8-optools/python-django=notaffected,openstack-rdo/python-django=affected,ceph-1.2/Django=wontfix,ceph-1.3/Django=wontfix,sam-1/Django=affected,fedora-all/python-django=affected,epel-6/Django14=affected,epel-6/python-django15=affected,epel-7/python-django=affected |
Back to bug 1311438