[1.5.x] Add release notes and bump version numbers for 1.5.4 security release.

django/__init__.py

@@ -1,4 +1,4 @@
-VERSION = (1, 5, 4, 'alpha', 0)
+VERSION = (1, 5, 4, 'final', 0)
 
 def get_version(*args, **kwargs):
     # Don't litter django/__init__.py with all the get_version stuff.

docs/conf.py

@@ -52,9 +52,9 @@ copyright = 'Django Software Foundation and contributors'
 # built documents.
 #
 # The short X.Y version.
-version = '1.5.3'
+version = '1.5.4'
 # The full version, including alpha/beta/rc tags.
-release = '1.5.3'
+release = '1.5.4'
 # The next version to be released
 django_next_version = '1.6'
 

docs/releases/1.4.8.txt

@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.

docs/releases/1.5.4.txt

@@ -0,0 +1,21 @@
+==========================
+Django 1.5.3 release notes
+==========================
+
+*September 14, 2013*
+
+This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
+one security issue.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.5.3, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.

setup.py

@@ -85,7 +85,7 @@ setup(
     author_email='foundation@djangoproject.com',
     description=('A high-level Python Web framework that encourages '
                  'rapid development and clean, pragmatic design.'),
-    download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.3.tar.gz',
+    download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.4.tar.gz',
     license='BSD',
     packages=packages,
     package_data=package_data,