Loading django/__init__.py +1 −1 Original line number Diff line number Diff line VERSION = (1, 6, 0, 'beta', 3) VERSION = (1, 6, 0, 'beta', 4) def get_version(*args, **kwargs): # Don't litter django/__init__.py with all the get_version stuff. Loading docs/releases/1.4.8.txt 0 → 100644 +21 −0 Original line number Diff line number Diff line ========================== Django 1.4.7 release notes ========================== *September 14, 2013* Django 1.4.8 fixes one security issue present in previous Django releases in the 1.4 series. Denial-of-service via password hashers -------------------------------------- In previous versions of Django no limit was imposed on the plaintext length of a password. This allows a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.4.8, Django's authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length. docs/releases/1.5.4.txt 0 → 100644 +21 −0 Original line number Diff line number Diff line ========================== Django 1.5.3 release notes ========================== *September 14, 2013* This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses one security issue. Denial-of-service via password hashers -------------------------------------- In previous versions of Django no limit was imposed on the plaintext length of a password. This allows a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.5.3, Django's authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length. docs/releases/1.6.txt +13 −8 Original line number Diff line number Diff line Loading @@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are using non-string keys in ``request.session``. See the :ref:`session_serialization` documentation for more details. 4096-byte limit on passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Historically, Django has imposed no length limit on plaintext passwords. This enables a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. Django now imposes a 4096-byte limit on password length, and will fail authentication with any submitted password of greater length. Miscellaneous ~~~~~~~~~~~~~ Loading Loading @@ -869,14 +882,6 @@ Miscellaneous to prevent django from deleting the temporary .pot file it generates before creating the .po file. * Passwords longer than 4096 bytes in length will no longer work and will instead raise a ``ValueError`` when using the hasher directory or the built in forms shipped with ``django.contrib.auth`` will fail validation. The rationale behind this is a possibility of a Denial of Service attack when using a slow password hasher, such as the default PBKDF2, and sending very large passwords. Features deprecated in 1.6 ========================== Loading Loading
django/__init__.py +1 −1 Original line number Diff line number Diff line VERSION = (1, 6, 0, 'beta', 3) VERSION = (1, 6, 0, 'beta', 4) def get_version(*args, **kwargs): # Don't litter django/__init__.py with all the get_version stuff. Loading
docs/releases/1.4.8.txt 0 → 100644 +21 −0 Original line number Diff line number Diff line ========================== Django 1.4.7 release notes ========================== *September 14, 2013* Django 1.4.8 fixes one security issue present in previous Django releases in the 1.4 series. Denial-of-service via password hashers -------------------------------------- In previous versions of Django no limit was imposed on the plaintext length of a password. This allows a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.4.8, Django's authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length.
docs/releases/1.5.4.txt 0 → 100644 +21 −0 Original line number Diff line number Diff line ========================== Django 1.5.3 release notes ========================== *September 14, 2013* This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses one security issue. Denial-of-service via password hashers -------------------------------------- In previous versions of Django no limit was imposed on the plaintext length of a password. This allows a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. As of 1.5.3, Django's authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length.
docs/releases/1.6.txt +13 −8 Original line number Diff line number Diff line Loading @@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are using non-string keys in ``request.session``. See the :ref:`session_serialization` documentation for more details. 4096-byte limit on passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Historically, Django has imposed no length limit on plaintext passwords. This enables a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash. Django now imposes a 4096-byte limit on password length, and will fail authentication with any submitted password of greater length. Miscellaneous ~~~~~~~~~~~~~ Loading Loading @@ -869,14 +882,6 @@ Miscellaneous to prevent django from deleting the temporary .pot file it generates before creating the .po file. * Passwords longer than 4096 bytes in length will no longer work and will instead raise a ``ValueError`` when using the hasher directory or the built in forms shipped with ``django.contrib.auth`` will fail validation. The rationale behind this is a possibility of a Denial of Service attack when using a slow password hasher, such as the default PBKDF2, and sending very large passwords. Features deprecated in 1.6 ========================== Loading
