| 123456789101112131415161718192021222324252627282930313233343536373839 |
- ==========================
- Django 1.5.5 release notes
- ==========================
- *October 23, 2013*
- Django 1.5.5 fixes a couple security-related bugs and several other bugs in the
- 1.5 series.
- Readdressed denial-of-service via password hashers
- --------------------------------------------------
- Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a
- denial-of-service attack through submission of bogus but extremely large
- passwords. In Django 1.5.5, we've reverted this change and instead improved
- the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
- Properly rotate CSRF token on login
- -----------------------------------
- This behavior introduced as a security hardening measure in Django 1.5.2 did
- not work properly and is now fixed.
- Bugfixes
- ========
- * Fixed a data corruption bug with ``datetime_safe.datetime.combine`` (#21256).
- * Fixed a Python 3 incompatibility in ``django.utils.text.unescape_entities()``
- (#21185).
- * Fixed a couple data corruption issues with ``QuerySet`` edge cases under
- Oracle and MySQL (#21203, #21126).
- * Fixed crashes when using combinations of ``annotate()``,
- ``select_related()``, and ``only()`` (#16436).
- Backwards incompatible changes
- ==============================
- * The undocumented ``django.core.servers.basehttp.WSGIServerException`` has
- been removed. Use ``socket.error`` provided by the standard library instead.
|
