Yes, we've seen it and are working on it. Python hasn't directly addressed the problem (and may not - it's arguable whether it's an application or a language-level issue), so we'll probably have to ship our own workaround. This is a non-trivial fix.
In the meantime, workarounds include using 64 bit python, severely limiting the length of requests your server accepts, limiting the number of allowed parameters in a POST, and strictly limiting the amount of time a Django process can exist before the webserver kills it. Fortunately, attack code has not yet been made public (if you know otherwise please contact me privately). Even though this issue is now public, please continue report security problems privately to secur...@djangoproject.com. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
