A timing difference between login requests of nonexistent users and users who haven't logged in for a certain time was found. In each major version of Django since 1.6, the default number of iterations for the ``PBKDF2PasswordHasher`` and its subclasses has increased. Passwords of user who haven't logged in since the iterations were increased, are encoded in an older number of iterations, which creates the timing difference between login requests. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference. However, if there are different password hashes in the database (such as SHA1 hashes from users who haven't logged in since the default hasher switched to PBKDF2 in Django 1.4), the timing difference on a login request for these users may be even greater and this fix doesn't remedy that difference (or any difference when changing hashers).
Created attachment 1130107 [details] Upstream patch 1.8.x
Created attachment 1130109 [details] Upstream patch 1.9.x
Created attachment 1130111 [details] Upstream patch master
External Reference: https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1314830]
Created python-django15 tracking bugs for this issue: Affects: epel-6 [bug 1314831]
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1314828] Affects: epel-7 [bug 1314832]
Acknowledgments: Name: the Django project
python-django-1.8.11-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.8.11-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0506 https://rhn.redhat.com/errata/RHSA-2016-0506.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:0505 https://rhn.redhat.com/errata/RHSA-2016-0505.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:0504 https://rhn.redhat.com/errata/RHSA-2016-0504.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 Via RHSA-2016:0503 https://rhn.redhat.com/errata/RHSA-2016-0503.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:0502 https://rhn.redhat.com/errata/RHSA-2016-0502.html