django/docs/releases/1.5.5.txt

40 lines
1.4 KiB
Plaintext

==========================
Django 1.5.5 release notes
==========================
*October 23, 2013*
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the
1.5 series.
Readdressed denial-of-service via password hashers
--------------------------------------------------
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a
denial-of-service attack through submission of bogus but extremely large
passwords. In Django 1.5.5, we've reverted this change and instead improved
the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
-----------------------------------
This behavior introduced as a security hardening measure in Django 1.5.2 did
not work properly and is now fixed.
Bugfixes
========
* Fixed a data corruption bug with ``datetime_safe.datetime.combine`` (#21256).
* Fixed a Python 3 incompatibility in ``django.utils.text.unescape_entities()``
(#21185).
* Fixed a couple data corruption issues with ``QuerySet`` edge cases under
Oracle and MySQL (#21203, #21126).
* Fixed crashes when using combinations of ``annotate()``,
``select_related()``, and ``only()`` (#16436).
Backwards incompatible changes
==============================
* The undocumented ``django.core.servers.basehttp.WSGIServerException`` has
been removed. Use ``socket.error`` provided by the standard library instead.