From 4607c7325dca510428f8e67a97bd73d647ffb35f Mon Sep 17 00:00:00 2001 From: James Bennett Date: Sun, 15 Sep 2013 00:29:31 -0600 Subject: [PATCH] [1.5.x] Add release notes and bump version numbers for 1.5.4 security release. --- django/__init__.py | 2 +- docs/conf.py | 4 ++-- docs/releases/1.4.8.txt | 21 +++++++++++++++++++++ docs/releases/1.5.4.txt | 21 +++++++++++++++++++++ setup.py | 2 +- 5 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 docs/releases/1.4.8.txt create mode 100644 docs/releases/1.5.4.txt diff --git a/django/__init__.py b/django/__init__.py index 6baa03ac8e..00166a4a2c 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,4 +1,4 @@ -VERSION = (1, 5, 4, 'alpha', 0) +VERSION = (1, 5, 4, 'final', 0) def get_version(*args, **kwargs): # Don't litter django/__init__.py with all the get_version stuff. diff --git a/docs/conf.py b/docs/conf.py index d21665dfc4..9c5a29e1c5 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -52,9 +52,9 @@ copyright = 'Django Software Foundation and contributors' # built documents. # # The short X.Y version. -version = '1.5.3' +version = '1.5.4' # The full version, including alpha/beta/rc tags. -release = '1.5.3' +release = '1.5.4' # The next version to be released django_next_version = '1.6' diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt new file mode 100644 index 0000000000..00c56bc5e5 --- /dev/null +++ b/docs/releases/1.5.4.txt @@ -0,0 +1,21 @@ +========================== +Django 1.5.3 release notes +========================== + +*September 14, 2013* + +This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses +one security issue. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.5.3, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/setup.py b/setup.py index e959d8627c..38db93d15f 100644 --- a/setup.py +++ b/setup.py @@ -85,7 +85,7 @@ setup( author_email='foundation@djangoproject.com', description=('A high-level Python Web framework that encourages ' 'rapid development and clean, pragmatic design.'), - download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.3.tar.gz', + download_url='https://www.djangoproject.com/m/releases/1.5/Django-1.5.4.tar.gz', license='BSD', packages=packages, package_data=package_data,