Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.5.x] Add release notes and bump version numbers for 1.5.4 security…

… release.
  • Loading branch information...
commit 4607c7325dca510428f8e67a97bd73d647ffb35f 1 parent 22b74fa
James Bennett ubernostrum authored
2  django/__init__.py
View
@@ -1,4 +1,4 @@
-VERSION = (1, 5, 4, 'alpha', 0)
+VERSION = (1, 5, 4, 'final', 0)
def get_version(*args, **kwargs):
# Don't litter django/__init__.py with all the get_version stuff.
4 docs/conf.py
View
@@ -52,9 +52,9 @@
# built documents.
#
# The short X.Y version.
-version = '1.5.3'
+version = '1.5.4'
# The full version, including alpha/beta/rc tags.
-release = '1.5.3'
+release = '1.5.4'
# The next version to be released
django_next_version = '1.6'
21 docs/releases/1.4.8.txt
View
@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
21 docs/releases/1.5.4.txt
View
@@ -0,0 +1,21 @@
+==========================
+Django 1.5.3 release notes
+==========================
+
+*September 14, 2013*
+
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
+one security issue.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.
2  setup.py
View
@@ -85,7 +85,7 @@ def is_package(package_name):
author_email='foundation@djangoproject.com',
description=('A high-level Python Web framework that encourages '
'rapid development and clean, pragmatic design.'),
- download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.3.tar.gz',
+ download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.4.tar.gz',
license='BSD',
packages=packages,
package_data=package_data,
Please sign in to comment.
Something went wrong with that request. Please try again.