[1.5.x] Add release notes and bump version numbers for 1.5.4 security release.1.5.4

author: James Bennett <james@b-list.org> 2013-09-15 00:29:31 -0600
committer: James Bennett <james@b-list.org> 2013-09-15 00:29:31 -0600
commit: 4607c7325dca510428f8e67a97bd73d647ffb35f (patch)
tree: 4a6e2a3dd8ed3d79dd9892667e2ca580f4fd9fa5 /docs/releases/1.5.4.txt
parent: 22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt
new file mode 100644
index 0000000000..00c56bc5e5
--- /dev/null
+++ b/docs/releases/1.5.4.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.5.3 release notes
+==========================
+
+*September 14, 2013*
+
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
+one security issue.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
author	James Bennett <james@b-list.org>	2013-09-15 00:29:31 -0600
committer	James Bennett <james@b-list.org>	2013-09-15 00:29:31 -0600
commit	4607c7325dca510428f8e67a97bd73d647ffb35f (patch)
tree	4a6e2a3dd8ed3d79dd9892667e2ca580f4fd9fa5 /docs/releases/1.5.4.txt
parent	22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc (diff)