| Summary: | dev-python/django-1.4.8 : "authenticate()" User Enumeration Weakness | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/54197/ | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 484984 | ||
| Bug Blocks: | |||
Waiting on decision of whether this requires a CVE. Patch available from upstream at [1]. [1] https://code.djangoproject.com/attachment/ticket/20760/20760_fix_hash_once.diff Patch merged upstream, available at [1]. [1] https://github.com/django/django/commit/5b47a9c5a0dcb513dc5ff68b617b3aa374c90f3b |
From ${URL} : Description A weakness has been reported in Django, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to the "authenticate()" function returning responses at different times depending on validity of the provided user name. This can be exploited to enumerate valid user names. The weakness is reported in version 1.5. Other versions may also be affected. Solution: Fixed in the GIT repository. Further details available to Secunia VIM customers Provided and/or discovered by: Justin Paglierani in a bug report. Original Advisory: https://code.djangoproject.com/ticket/20760 http://www.openwall.com/lists/oss-security/2013/07/22/4 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.