[Python-modules-team] Bug#686104: python-django-registration: Not compatible with, Django 1.4.
Winfried Tilanus
winfried at tilanus.com
Thu Aug 30 19:41:12 UTC 2012
IMHO the use of SHA1 in python-django-registration 0.7.2 is a security
issue waiting to happen.
The SHA1 hashes used in python-django-registration are publicly visible.
An attack against the SHA1 in python-django-registration would not need
a compromise of the database first, but can be performed against openly
available data.
With the depreciation of SHA1 in Django 1.4, the Django project has
fixed smaller security issues then the issues that arise from the use of
SHA1 in python-django-registration 0.7.2. So keeping
python-django-registration on version 0.7.2 would introduce quite an
Achilles-heel in the security of Django.
Winfried
More information about the Python-modules-team
mailing list