Since the 1.6 release is very close, what are the chances that the security fix would get backported to Django 1.4.x, even if 1.6 lands before a fix is backported? There was a blog post about extending support for 1.4, but I don't remember seeing any discussion on the list to help "figure out the specifics".
https://www.djangoproject.com/weblog/2013/may/26/django-16-alpha-1/ Regards, Michael Manfre On Tue, Aug 6, 2013 at 10:42 AM, Jacob Kaplan-Moss <[email protected]>wrote: > Hi folks -- > > At last week's Black Hat conference, researchers announced the BREACH > attack (http://breachattack.com/), a new attack on web apps that can > recover data even when secured with SSL connections. Given what we know so > far, we believe that BREACH may be used to compromise Django's CSRF > protection. Thus, we're issuing a security advisory so that our users can > defend themselves. > > You can read more details, including how the steps you can take to prevent > yourself against this attack, on our blog: > > https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ > > We plan to take steps to address BREACH in Django itself, but in the > meantime we recommend that all users of Django understand this > vulnerability and take action if appropriate. > > Jacob > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
