[1.5.x] Add release notes and bump version numbers for 1.5.4 security release.1.5.4

5 files changed, 46 insertions, 4 deletions

diff --git a/django/__init__.py b/django/__init__.py
index 6baa03ac8e..00166a4a2c 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,4 +1,4 @@
-VERSION = (1, 5, 4, 'alpha', 0)
+VERSION = (1, 5, 4, 'final', 0)
 
 def get_version(*args, **kwargs):
     # Don't litter django/__init__.py with all the get_version stuff.
diff --git a/docs/conf.py b/docs/conf.py
index d21665dfc4..9c5a29e1c5 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -52,9 +52,9 @@ copyright = 'Django Software Foundation and contributors'
 # built documents.
 #
 # The short X.Y version.
-version = '1.5.3'
+version = '1.5.4'
 # The full version, including alpha/beta/rc tags.
-release = '1.5.3'
+release = '1.5.4'
 # The next version to be released
 django_next_version = '1.6'
 
diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt
new file mode 100644
index 0000000000..bec5a4b7dc
--- /dev/null
+++ b/docs/releases/1.4.8.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt
new file mode 100644
index 0000000000..00c56bc5e5
--- /dev/null
+++ b/docs/releases/1.5.4.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.5.3 release notes
+==========================
+
+*September 14, 2013*
+
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
+one security issue.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
diff --git a/setup.py b/setup.py
index e959d8627c..38db93d15f 100644
--- a/setup.py
+++ b/setup.py
@@ -85,7 +85,7 @@ setup(
     author_email='foundation@djangoproject.com',
     description=('A high-level Python Web framework that encourages '
                  'rapid development and clean, pragmatic design.'),
-    download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.3.tar.gz',
+    download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.4.tar.gz',
     license='BSD',
     packages=packages,
     package_data=package_data,