summaryrefslogtreecommitdiff
path: root/docs/releases/1.4.8.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/1.4.8.txt')
-rw-r--r--docs/releases/1.4.8.txt21
1 files changed, 21 insertions, 0 deletions
diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt
new file mode 100644
index 0000000000..bec5a4b7dc
--- /dev/null
+++ b/docs/releases/1.4.8.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 21:43:36 +0000