Bug#686104: python-django-registration: Not compatible with, Django 1.4.

Hi, On Fri, 31 Aug 2012, Winfried Tilanus wrote: > So lets get back to the original issue: the changelog mentions fixed > compatibility issues with Django 1.4: > https://bitbucket.org/ubernostrum/django-registration/src/2d6fcc0c55d0/CHANGELOG > > It is for sure referring to this commit: > https:/

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On 08/31/2012 09:59 AM, Raphael Hertzog wrote: Hi, (I hope you are still patient with me.) It is hard to judge how severe the use of SHA1 in django-registration 0.7.1 is. I think we can go endlessly here. (What if an attacker requests 2 accounts: one on a valid e-mail address and one on a invali

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On Fri, 31 Aug 2012, Winfried Tilanus wrote: > On 08/31/2012 08:41 AM, Raphael Hertzog wrote: > > > What openly available data are you referring to? > > The hash calculated in django-registration is send out to people > registering a new account, as part of the url to click on when > confirming t

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On 08/31/2012 08:41 AM, Raphael Hertzog wrote: > What openly available data are you referring to? The hash calculated in django-registration is send out to people registering a new account, as part of the url to click on when confirming the registration of a new account. It is used as identifier

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

On Thu, 30 Aug 2012, Winfried Tilanus wrote: > The SHA1 hashes used in python-django-registration are publicly visible. > An attack against the SHA1 in python-django-registration would not need > a compromise of the database first, but can be performed against openly > available data. What openly

Bug#686104: python-django-registration: Not compatible with Django 1.4.

Op 29-08-12 21:50, Raphael Hertzog schreef: > Version: 0.8-1 > > On Tue, 28 Aug 2012, Paul van der Vlis wrote: >> Uses only sha1 for passwords, Django 1.4 uses PBKDF2 by default for >> passwords. >> The sha-module is deprecated. > > Can you explain a bit more clearly how it breaks and the conseq

Bug#686104: python-django-registration: Not compatible with, Django 1.4.

IMHO the use of SHA1 in python-django-registration 0.7.2 is a security issue waiting to happen. The SHA1 hashes used in python-django-registration are publicly visible. An attack against the SHA1 in python-django-registration would not need a compromise of the database first, but can be performed

Bug#686104: python-django-registration: Not compatible with Django 1.4.

Package: python-django-registration Version: 0.7-2 Severity: grave Justification: renders package unusable Uses only sha1 for passwords, Django 1.4 uses PBKDF2 by default for passwords. The sha-module is deprecated. It would be good to upgrade to python-django-registration 0.8 what's in Sid, but