Weblog

py-bcrypt security release issued

py-bcrypt, the library used by the Django Bcrypt password hasher, issued a new release on Monday for a concurrency bug that could potentially be used to bypass password checking by an attacker. Users of the py-bcrypt library should upgrade immediately to version 0.3.

It's important to point out that this issue does not affect all users of Django. py-bcrypt is a third-party module and is not created by or distributed by the Django core team.

However, we're choosing to publicize this security release here because py-bcrypt is in common use on many Django sites and is in use by the Bcrypt Password Hasher distributed with Django. We're hoping that publicizing this fix widely will help protect all Django users.

General notes regarding security

As always, we ask that potential security issues in Django be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers mailing list.

Security issues in third-party modules should be reported to the relevant maintainer(s). When in doubt, we're happy to receive security reports about third-party modules to security@djangoproject.com; we can help direct you to the proper venue for the issue.

Posted by Donald Stufft on March 21, 2013