diff options
| author | James Bennett <james@b-list.org> | 2013-09-15 00:29:31 -0600 |
|---|---|---|
| committer | James Bennett <james@b-list.org> | 2013-09-15 00:29:31 -0600 |
| commit | 4607c7325dca510428f8e67a97bd73d647ffb35f (patch) | |
| tree | 4a6e2a3dd8ed3d79dd9892667e2ca580f4fd9fa5 /docs/releases | |
| parent | 22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc (diff) | |
[1.5.x] Add release notes and bump version numbers for 1.5.4 security release.1.5.4
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/1.4.8.txt | 21 | ||||
| -rw-r--r-- | docs/releases/1.5.4.txt | 21 |
2 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt new file mode 100644 index 0000000000..00c56bc5e5 --- /dev/null +++ b/docs/releases/1.5.4.txt @@ -0,0 +1,21 @@ +========================== +Django 1.5.3 release notes +========================== + +*September 14, 2013* + +This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses +one security issue. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.5.3, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. |