October 23, 2013
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
This behavior introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
datetime_safe.datetime.combine
(#21256).django.utils.text.unescape_entities()
(#21185).QuerySet
edge cases under
Oracle and MySQL (#21203, #21126).annotate()
,
select_related()
, and only()
(#16436).django.core.servers.basehttp.WSGIServerException
has
been removed. Use socket.error
provided by the standard library instead.Jun 22, 2017