diff options
| author | James Bennett <james@b-list.org> | 2013-09-14 23:53:07 -0600 |
|---|---|---|
| committer | James Bennett <james@b-list.org> | 2013-09-14 23:53:07 -0600 |
| commit | 3ffc7b52f8704443ef0c20f34bb50c9144898ef7 (patch) | |
| tree | 5dc052ceb506cc702d45fe723451d6eff10ab806 | |
| parent | 3f3d887a6844ec2db743fee64c9e53e04d39a368 (diff) | |
[1.4.x] Add release notes and bump version numbers for 1.4.8 security release.
| -rw-r--r-- | django/__init__.py | 2 | ||||
| -rw-r--r-- | docs/conf.py | 4 | ||||
| -rw-r--r-- | docs/releases/1.4.8.txt | 21 | ||||
| -rw-r--r-- | setup.py | 2 |
4 files changed, 25 insertions, 4 deletions
diff --git a/django/__init__.py b/django/__init__.py index 143dc69568..03a43fcc74 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,4 +1,4 @@ -VERSION = (1, 4, 8, 'alpha', 0) +VERSION = (1, 4, 8, 'final', 0) def get_version(version=None): """Derives a PEP386-compliant version number from VERSION.""" diff --git a/docs/conf.py b/docs/conf.py index fde4a58d9a..46db36160e 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -50,9 +50,9 @@ copyright = 'Django Software Foundation and contributors' # built documents. # # The short X.Y version. -version = '1.4.7' +version = '1.4.8' # The full version, including alpha/beta/rc tags. -release = '1.4.7' +release = '1.4.8' # The next version to be released django_next_version = '1.5' diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. @@ -75,7 +75,7 @@ setup( author = 'Django Software Foundation', author_email = 'foundation@djangoproject.com', description = 'A high-level Python Web framework that encourages rapid development and clean, pragmatic design.', - download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.7.tar.gz', + download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.8.tar.gz', packages = packages, cmdclass = cmdclasses, data_files = data_files, |