Django 1.5.5 release notes
October 23, 2013
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
This behavior introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
Bugfixes
- Fixed a data corruption bug with
datetime_safe.datetime.combine
(#21256). - Fixed a Python 3 incompatibility in
django.utils.text.unescape_entities()
(#21185). - Fixed a couple data corruption issues with
QuerySet
edge cases under Oracle and MySQL (#21203, #21126). - Fixed crashes when using combinations of
annotate()
,select_related()
, andonly()
(#16436).
Backwards incompatible changes
- The undocumented
django.core.servers.basehttp.WSGIServerException
has been removed. Usesocket.error
provided by the standard library instead.