[1.6.x] Add release notes and bump version number for security release.

2025-11-07 07:15:35 +00:00 · 2013-09-15 00:36:03 -06:00
parent 5ecc0f828e
commit 623c4916df
4 changed files with 56 additions and 9 deletions
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -780,6 +780,19 @@ as JSON requires string keys, you will likely run into problems if you are
 using non-string keys in ``request.session``. See the
 :ref:`session_serialization` documentation for more details.

+4096-byte limit on passwords
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Historically, Django has imposed no length limit on plaintext
+passwords. This enables a denial-of-service attack through submission
+of bogus but extremely large passwords, tying up server resources
+performing the (expensive, and increasingly expensive with the length
+of the password) calculation of the corresponding hash.
+
+Django now imposes a 4096-byte limit on password length, and will fail
+authentication with any submitted password of greater length.
+
+
 Miscellaneous
 ~~~~~~~~~~~~~

@@ -869,14 +882,6 @@ Miscellaneous
  to prevent django from deleting the temporary .pot file it generates before
  creating the .po file.

-* Passwords longer than 4096 bytes in length will no longer work and will
-  instead raise a ``ValueError`` when using the hasher directory or the
-  built in forms shipped with ``django.contrib.auth`` will fail validation.
-
-  The rationale behind this is a possibility of a Denial of Service attack when
-  using a slow password hasher, such as the default PBKDF2, and sending very
-  large passwords.
-
 Features deprecated in 1.6
 ==========================