[1.4.x] Add release notes and bump version numbers for 1.4.8 security release.

django/__init__.py

@@ -1,4 +1,4 @@
-VERSION = (1, 4, 8, 'alpha', 0)
+VERSION = (1, 4, 8, 'final', 0)
 
 def get_version(version=None):
     """Derives a PEP386-compliant version number from VERSION."""

docs/conf.py

@@ -50,9 +50,9 @@ copyright = 'Django Software Foundation and contributors'
 # built documents.
 #
 # The short X.Y version.
-version = '1.4.7'
+version = '1.4.8'
 # The full version, including alpha/beta/rc tags.
-release = '1.4.7'
+release = '1.4.8'
 # The next version to be released
 django_next_version = '1.5'
 

docs/releases/1.4.8.txt

@@ -0,0 +1,21 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 14, 2013*
+
+Django 1.4.8 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Denial-of-service via password hashers
+--------------------------------------
+
+In previous versions of Django no limit was imposed on the plaintext
+length of a password. This allows a denial-of-service attack through
+submission of bogus but extremely large passwords, tying up server
+resources performing the (expensive, and increasingly expensive with
+the length of the password) calculation of the corresponding hash.
+
+As of 1.4.8, Django's authentication framework imposes a 4096-byte
+limit on passwords, and will fail authentication with any submitted
+password of greater length.

setup.py

@@ -75,7 +75,7 @@ setup(
     author = 'Django Software Foundation',
     author_email = 'foundation@djangoproject.com',
     description = 'A high-level Python Web framework that encourages rapid development and clean, pragmatic design.',
-    download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.7.tar.gz',
+    download_url = 'https://www.djangoproject.com/m/releases/1.4/Django-1.4.8.tar.gz',
     packages = packages,
     cmdclass = cmdclasses,
     data_files = data_files,