[1.6.x] Add release notes and bump version number for security release.1.6b4

4 files changed, 56 insertions, 9 deletions

diff --git a/django/__init__.py b/django/__init__.py
index 2327551770..e9c75e142f 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,4 +1,4 @@
-VERSION = (1, 6, 0, 'beta', 3)
+VERSION = (1, 6, 0, 'beta', 4)
 
 def get_version(*args, **kwargs):
     # Don't litter django/__init__.py with all the get_version stuff.
diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt
new file mode 100644
index 0000000000..bec5a4b7dc
--- /dev/null
+++ b/docs/releases/1.4.8.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt
new file mode 100644
index 0000000000..00c56bc5e5
--- /dev/null
+++ b/docs/releases/1.5.4.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.5.3 release notes
+==========================
+
+*September 14, 2013*
+
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
+one security issue.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt
index 8bbc483542..2903038b53 100644
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are
 using non-string keys in ``request.session``. See the
 :ref:`session_serialization` documentation for more details.
 
+4096-byte limit on passwords
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Historically, Django has imposed no length limit on plaintext
+passwords. This enables a denial-of-service attack through submission
+of bogus but extremely large passwords, tying up server resources
+performing the (expensive, and increasingly expensive with the length
+of the password) calculation of the corresponding hash.
+
+Django now imposes a 4096-byte limit on password length, and will fail
+authentication with any submitted password of greater length.
+
+
 Miscellaneous
 ~~~~~~~~~~~~~
 
@@ -869,14 +882,6 @@ Miscellaneous
   to prevent django from deleting the temporary .pot file it generates before
   creating the .po file.
 
-* Passwords longer than 4096 bytes in length will no longer work and will
-  instead raise a ``ValueError`` when using the hasher directory or the
-  built in forms shipped with ``django.contrib.auth`` will fail validation.
-
-  The rationale behind this is a possibility of a Denial of Service attack when
-  using a slow password hasher, such as the default PBKDF2, and sending very
-  large passwords.
-
 Features deprecated in 1.6
 ==========================