diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/conf.py | 4 | ||||
| -rw-r--r-- | docs/releases/1.4.8.txt | 21 | ||||
| -rw-r--r-- | docs/releases/1.5.4.txt | 21 |
3 files changed, 44 insertions, 2 deletions
diff --git a/docs/conf.py b/docs/conf.py index d21665dfc4..9c5a29e1c5 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -52,9 +52,9 @@ copyright = 'Django Software Foundation and contributors' # built documents. # # The short X.Y version. -version = '1.5.3' +version = '1.5.4' # The full version, including alpha/beta/rc tags. -release = '1.5.3' +release = '1.5.4' # The next version to be released django_next_version = '1.6' diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt new file mode 100644 index 0000000000..00c56bc5e5 --- /dev/null +++ b/docs/releases/1.5.4.txt @@ -0,0 +1,21 @@ +========================== +Django 1.5.3 release notes +========================== + +*September 14, 2013* + +This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses +one security issue. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.5.3, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. |