Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[1.4.x] Add release notes and bump version numbers for 1.4.8 security…

… release.
  • Loading branch information...
commit 3ffc7b52f8704443ef0c20f34bb50c9144898ef7 1 parent 3f3d887
@ubernostrum ubernostrum authored
View
2  django/__init__.py
@@ -1,4 +1,4 @@
-VERSION = (1, 4, 8, 'alpha', 0)
+VERSION = (1, 4, 8, 'final', 0)
def get_version(version=None):
"""Derives a PEP386-compliant version number from VERSION."""
View
4 docs/conf.py
@@ -50,9 +50,9 @@
# built documents.
#
# The short X.Y version.
-version = '1.4.7'
+version = '1.4.8'
# The full version, including alpha/beta/rc tags.
-release = '1.4.7'
+release = '1.4.8'
# The next version to be released
django_next_version = '1.5'
View
21 docs/releases/1.4.8.txt
@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
View
2  setup.py
@@ -75,7 +75,7 @@ def fullsplit(path, result=None):
author = 'Django Software Foundation',
author_email = 'foundation@djangoproject.com',
description = 'A high-level Python Web framework that encourages rapid development and clean, pragmatic design.',
- download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.7.tar.gz',
+ download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.8.tar.gz',
packages = packages,
cmdclass = cmdclasses,
data_files = data_files,
Please sign in to comment.
Something went wrong with that request. Please try again.