From 623c4916df545f985c66a269a712e95f2724f6d0 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Sun, 15 Sep 2013 00:36:03 -0600 Subject: [PATCH] [1.6.x] Add release notes and bump version number for security release. --- django/__init__.py | 2 +- docs/releases/1.4.8.txt | 21 +++++++++++++++++++++ docs/releases/1.5.4.txt | 21 +++++++++++++++++++++ docs/releases/1.6.txt | 21 +++++++++++++-------- 4 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 docs/releases/1.4.8.txt create mode 100644 docs/releases/1.5.4.txt diff --git a/django/__init__.py b/django/__init__.py index 2327551770..e9c75e142f 100644 --- a/django/__init__.py +++ b/django/__init__.py @@ -1,4 +1,4 @@ -VERSION = (1, 6, 0, 'beta', 3) +VERSION = (1, 6, 0, 'beta', 4) def get_version(*args, **kwargs): # Don't litter django/__init__.py with all the get_version stuff. diff --git a/docs/releases/1.4.8.txt b/docs/releases/1.4.8.txt new file mode 100644 index 0000000000..bec5a4b7dc --- /dev/null +++ b/docs/releases/1.4.8.txt @@ -0,0 +1,21 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 14, 2013* + +Django 1.4.8 fixes one security issue present in previous Django releases in +the 1.4 series. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.4.8, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/docs/releases/1.5.4.txt b/docs/releases/1.5.4.txt new file mode 100644 index 0000000000..00c56bc5e5 --- /dev/null +++ b/docs/releases/1.5.4.txt @@ -0,0 +1,21 @@ +========================== +Django 1.5.3 release notes +========================== + +*September 14, 2013* + +This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses +one security issue. + +Denial-of-service via password hashers +-------------------------------------- + +In previous versions of Django no limit was imposed on the plaintext +length of a password. This allows a denial-of-service attack through +submission of bogus but extremely large passwords, tying up server +resources performing the (expensive, and increasingly expensive with +the length of the password) calculation of the corresponding hash. + +As of 1.5.3, Django's authentication framework imposes a 4096-byte +limit on passwords, and will fail authentication with any submitted +password of greater length. diff --git a/docs/releases/1.6.txt b/docs/releases/1.6.txt index 8bbc483542..2903038b53 100644 --- a/docs/releases/1.6.txt +++ b/docs/releases/1.6.txt @@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are using non-string keys in ``request.session``. See the :ref:`session_serialization` documentation for more details. +4096-byte limit on passwords +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Historically, Django has imposed no length limit on plaintext +passwords. This enables a denial-of-service attack through submission +of bogus but extremely large passwords, tying up server resources +performing the (expensive, and increasingly expensive with the length +of the password) calculation of the corresponding hash. + +Django now imposes a 4096-byte limit on password length, and will fail +authentication with any submitted password of greater length. + + Miscellaneous ~~~~~~~~~~~~~ @@ -869,14 +882,6 @@ Miscellaneous to prevent django from deleting the temporary .pot file it generates before creating the .po file. -* Passwords longer than 4096 bytes in length will no longer work and will - instead raise a ``ValueError`` when using the hasher directory or the - built in forms shipped with ``django.contrib.auth`` will fail validation. - - The rationale behind this is a possibility of a Denial of Service attack when - using a slow password hasher, such as the default PBKDF2, and sending very - large passwords. - Features deprecated in 1.6 ==========================