Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.6.x] Add release notes and bump version number for security release.

  • Loading branch information...
commit 623c4916df545f985c66a269a712e95f2724f6d0 1 parent 5ecc0f8
James Bennett authored September 15, 2013
2  django/__init__.py
... ...
@@ -1,4 +1,4 @@
1  
-VERSION = (1, 6, 0, 'beta', 3)
  1
+VERSION = (1, 6, 0, 'beta', 4)
2 2
 
3 3
 def get_version(*args, **kwargs):
4 4
     # Don't litter django/__init__.py with all the get_version stuff.
21  docs/releases/1.4.8.txt
... ...
@@ -0,0 +1,21 @@
  1
+==========================
  2
+Django 1.4.7 release notes
  3
+==========================
  4
+
  5
+*September 14, 2013*
  6
+
  7
+Django 1.4.8 fixes one security issue present in previous Django releases in
  8
+the 1.4 series.
  9
+
  10
+Denial-of-service via password hashers
  11
+--------------------------------------
  12
+
  13
+In previous versions of Django no limit was imposed on the plaintext
  14
+length of a password. This allows a denial-of-service attack through
  15
+submission of bogus but extremely large passwords, tying up server
  16
+resources performing the (expensive, and increasingly expensive with
  17
+the length of the password) calculation of the corresponding hash.
  18
+
  19
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
  20
+limit on passwords, and will fail authentication with any submitted
  21
+password of greater length.
21  docs/releases/1.5.4.txt
... ...
@@ -0,0 +1,21 @@
  1
+==========================
  2
+Django 1.5.3 release notes
  3
+==========================
  4
+
  5
+*September 14, 2013*
  6
+
  7
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
  8
+one security issue.
  9
+
  10
+Denial-of-service via password hashers
  11
+--------------------------------------
  12
+
  13
+In previous versions of Django no limit was imposed on the plaintext
  14
+length of a password. This allows a denial-of-service attack through
  15
+submission of bogus but extremely large passwords, tying up server
  16
+resources performing the (expensive, and increasingly expensive with
  17
+the length of the password) calculation of the corresponding hash.
  18
+
  19
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
  20
+limit on passwords, and will fail authentication with any submitted
  21
+password of greater length.
21  docs/releases/1.6.txt
@@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are
780 780
 using non-string keys in ``request.session``. See the
781 781
 :ref:`session_serialization` documentation for more details.
782 782
 
  783
+4096-byte limit on passwords
  784
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  785
+
  786
+Historically, Django has imposed no length limit on plaintext
  787
+passwords. This enables a denial-of-service attack through submission
  788
+of bogus but extremely large passwords, tying up server resources
  789
+performing the (expensive, and increasingly expensive with the length
  790
+of the password) calculation of the corresponding hash.
  791
+
  792
+Django now imposes a 4096-byte limit on password length, and will fail
  793
+authentication with any submitted password of greater length.
  794
+
  795
+
783 796
 Miscellaneous
784 797
 ~~~~~~~~~~~~~
785 798
 
@@ -869,14 +882,6 @@ Miscellaneous
869 882
   to prevent django from deleting the temporary .pot file it generates before
870 883
   creating the .po file.
871 884
 
872  
-* Passwords longer than 4096 bytes in length will no longer work and will
873  
-  instead raise a ``ValueError`` when using the hasher directory or the
874  
-  built in forms shipped with ``django.contrib.auth`` will fail validation.
875  
-
876  
-  The rationale behind this is a possibility of a Denial of Service attack when
877  
-  using a slow password hasher, such as the default PBKDF2, and sending very
878  
-  large passwords.
879  
-
880 885
 Features deprecated in 1.6
881 886
 ==========================
882 887
 

0 notes on commit 623c491

Please sign in to comment.
Something went wrong with that request. Please try again.