forked from django/django
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[1.6.x] Add release notes and bump version number for security release.
- Loading branch information
1 parent
5ecc0f8
commit 623c491
Showing
4 changed files
with
56 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
========================== | ||
Django 1.4.7 release notes | ||
========================== | ||
|
||
*September 14, 2013* | ||
|
||
Django 1.4.8 fixes one security issue present in previous Django releases in | ||
the 1.4 series. | ||
|
||
Denial-of-service via password hashers | ||
-------------------------------------- | ||
|
||
In previous versions of Django no limit was imposed on the plaintext | ||
length of a password. This allows a denial-of-service attack through | ||
submission of bogus but extremely large passwords, tying up server | ||
resources performing the (expensive, and increasingly expensive with | ||
the length of the password) calculation of the corresponding hash. | ||
|
||
As of 1.4.8, Django's authentication framework imposes a 4096-byte | ||
limit on passwords, and will fail authentication with any submitted | ||
password of greater length. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
========================== | ||
Django 1.5.3 release notes | ||
========================== | ||
|
||
*September 14, 2013* | ||
|
||
This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses | ||
one security issue. | ||
|
||
Denial-of-service via password hashers | ||
-------------------------------------- | ||
|
||
In previous versions of Django no limit was imposed on the plaintext | ||
length of a password. This allows a denial-of-service attack through | ||
submission of bogus but extremely large passwords, tying up server | ||
resources performing the (expensive, and increasingly expensive with | ||
the length of the password) calculation of the corresponding hash. | ||
|
||
As of 1.5.3, Django's authentication framework imposes a 4096-byte | ||
limit on passwords, and will fail authentication with any submitted | ||
password of greater length. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters