web2py 2.6.3 is OUT (security update)

Showing 1-6 of 6 messages
web2py 2.6.3 is OUT (security update) Massimo Di Pierro 9/15/13 10:13 AM
This is very similar to 2.6.1 but fixes some problem with a missing admin file (also fixed in 2.6.2) and a potential DoS security issue.

The issue was first discovered in Django https://www.djangoproject.com/weblog/2013/sep/15/security/ 
We thank them for discovering and reporting it.

In web2py 2.5.x and earlier we suffer from the same problem. This is because while the default password validator checks for length, the check is performed after hashing, before inserting the hashed password in database. In 2.6.1/2 we have a different implementation of the hashing algorithm and we do not know how severe the problem is.

In any case 2.6.3 fixes the problem by truncating the password to 1024 chars when passed to the CRYPT validator.

You should upgrade.

Massimo
Re: web2py 2.6.3 is OUT (security update) Raul Monares 9/15/13 10:27 AM
Thanks Massimo
Re: web2py 2.6.3 is OUT (security update) samuel bonill 9/15/13 2:37 PM
+1

El domingo, 15 de septiembre de 2013 12:13:21 UTC-5, Massimo Di Pierro escribió:
Re: web2py 2.6.3 is OUT (security update) 黄祥 9/15/13 4:39 PM
great, very responsive. thank you so much
Re: web2py 2.6.3 is OUT (security update) Michael Jackson 9/19/13 10:00 AM
I am experiencing an issue with one of the experimental features. In db.py I have auth.settings.manager_group_role = 'SuperUser' . This was working for me in 2.5.1 but now I am getting a ticket saying that manager_group_role doesn't exist. Was this removed or changed?

Thanks,
Michael
Re: web2py 2.6.3 is OUT (security update) Massimo Di Pierro 9/19/13 11:45 AM
We called it: auth.settings.auth_manager_role