diff --git a/CHANGES b/CHANGES index 91e0dc1..6504c64 100644 --- a/CHANGES +++ b/CHANGES @@ -1,12 +1,15 @@ Version History =============== - Version 0.6.0 ------------- * Only Django versions 4.2 or above are now supported * Removed the old rendering methods that were deprecated in 2017. +Version 0.5.19 +-------------- +* SECURITY ISSUE: reset the random seed after an image was generated (#221, thanks @ibuler) + Version 0.5.18 -------------- * Fix some typos in documentation (#210, thanks @stweil) diff --git a/captcha/views.py b/captcha/views.py index 356db5f..08d4721 100644 --- a/captcha/views.py +++ b/captcha/views.py @@ -135,6 +135,13 @@ def captcha_image(request, key, scale=1): response.write(out.read()) response["Content-length"] = out.tell() + # At line :50 above we fixed the random seed so that we always generate the + # same image, see: https://github.com/mbi/django-simple-captcha/pull/194 + # This is a problem though, because knowledge of the seed will let an attacker + # predict the next random (globally). We therefore reset the random here. + # Reported in https://github.com/mbi/django-simple-captcha/pull/221 + random.seed() + return response diff --git a/docs/conf.py b/docs/conf.py index bb690f5..ee25855 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -50,6 +50,7 @@ # # The short X.Y version. version = "0.6.0" + # The full version, including alpha/beta/rc tags. release = version diff --git a/setup.py b/setup.py index fc84879..6b1975a 100644 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ def run_tests(self): install_requires = [ - "Django >= 3.2", + "Django >= 4.2", "Pillow >=6.2.0", "django-ranged-response == 0.2.0", ] @@ -59,7 +59,6 @@ def run_tests(self): "License :: OSI Approved :: MIT License", "Operating System :: OS Independent", "Programming Language :: Python", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11",