It was found that python-django, a high level Python web framework, was vulnerable to a DoS attack via large passwords, where an attacker could send a large password to the machine, as there wasn't any limit imposed on the length of passwords, a large password could use all the machine's available resources for the hash computation, thus making the machine slow and unresponsive. The issue has been known to be fixed in latest updates for python-django 1.4.8 and 1.5.4. References: https://www.djangoproject.com/weblog/2013/sep/15/security/ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723043
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1008282]
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1008281]
This needs clones for openstack-3 and openstack-rdo...
(In reply to Lon Hohberger from comment #3) > This needs clones for openstack-3 and openstack-rdo... Lon, I've just triaged this for openstack and I belive we are not affected as keystone imposes a 4k limit on passwords. Unless you think there is somewhere else this is exposed?
python-django-1.5.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.8-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Django14-1.4.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Ok, Garth - I wasn't certain; it just looked like we were affected based on versioning. Thanks!