diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/conf.py | 4 | ||||
| -rw-r--r-- | docs/releases/1.4.8.txt | 21 |
2 files changed, 23 insertions, 2 deletions
diff --git a/docs/conf.py b/docs/conf.py index fde4a58d9a..46db36160e 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -50,9 +50,9 @@ copyright = 'Django Software Foundation and contributors' # built documents. # # The short X.Y version. -version = '1.4.7' +version = '1.4.8' # The full version, including alpha/beta/rc tags. -release = '1.4.7' +release = '1.4.8' # The next version to be released django_next_version = '1.5' diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. |
