mirror of https://github.com/django/django.git
34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
|
==========================
|
||
|
|
Django 1.5.5 release notes
|
||
|
|
==========================
|
||
|
|
|
||
|
|
*October 22, 2013*
|
||
|
|
|
||
|
|
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the
|
||
|
|
1.5 series.
|
||
|
|
|
||
|
|
Readdressed denial-of-service via password hashers
|
||
|
|
--------------------------------------------------
|
||
|
|
|
||
|
|
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a
|
||
|
|
denial-of-service attack through submission of bogus but extremely large
|
||
|
|
passwords. In Django 1.5.5, we've reverted this change and instead improved
|
||
|
|
the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
|
||
|
|
|
||
|
|
Properly rotate CSRF token on login
|
||
|
|
-----------------------------------
|
||
|
|
|
||
|
|
This behavior introduced as a security hardening measure in Django 1.5.2 did
|
||
|
|
not work properly and is now fixed.
|
||
|
|
|
||
|
|
Bugfixes
|
||
|
|
========
|
||
|
|
|
||
|
|
* Fixed a data corruption bug with ``datetime_safe.datetime.combine`` (#21256).
|
||
|
|
* Fixed a Python 3 incompatability in ``django.utils.text.unescape_entities()``
|
||
|
|
(#21185).
|
||
|
|
* Fixed a couple data corruption issues with ``QuerySet`` edge cases under
|
||
|
|
Oracle and MySQL (#21203, #21126).
|
||
|
|
* Fixed crashes when using combinations of ``annotate()``,
|
||
|
|
``select_related()``, and ``only()`` (#16436).
|