<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.5.5 release notes — Django 1.5.9 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.9', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.9 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.5.4 release notes" href="1.5.4.html" /> <link rel="prev" title="Django 1.5.6 release notes" href="1.5.6.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.9 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.5.6.html" title="Django 1.5.6 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.4.html" title="Django 1.5.4 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.5.5"> <div class="section" id="s-django-1-5-5-release-notes"> <span id="django-1-5-5-release-notes"></span><h1>Django 1.5.5 release notes<a class="headerlink" href="#django-1-5-5-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>October 24, 2013</em></p> <p>Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.</p> <div class="section" id="s-readdressed-denial-of-service-via-password-hashers"> <span id="readdressed-denial-of-service-via-password-hashers"></span><h2>Readdressed denial-of-service via password hashers<a class="headerlink" href="#readdressed-denial-of-service-via-password-hashers" title="Permalink to this headline">¶</a></h2> <p>Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.</p> </div> <div class="section" id="s-properly-rotate-csrf-token-on-login"> <span id="properly-rotate-csrf-token-on-login"></span><h2>Properly rotate CSRF token on login<a class="headerlink" href="#properly-rotate-csrf-token-on-login" title="Permalink to this headline">¶</a></h2> <p>This behavior introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.</p> <div class="section" id="s-bugfixes"> <span id="bugfixes"></span><h3>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h3> <ul class="simple"> <li>Fixed a data corruption bug with <tt class="docutils literal"><span class="pre">datetime_safe.datetime.combine</span></tt> (#21256).</li> <li>Fixed a Python 3 incompatability in <tt class="docutils literal"><span class="pre">django.utils.text.unescape_entities()</span></tt> (#21185).</li> <li>Fixed a couple data corruption issues with <tt class="docutils literal"><span class="pre">QuerySet</span></tt> edge cases under Oracle and MySQL (#21203, #21126).</li> <li>Fixed crashes when using combinations of <tt class="docutils literal"><span class="pre">annotate()</span></tt>, <tt class="docutils literal"><span class="pre">select_related()</span></tt>, and <tt class="docutils literal"><span class="pre">only()</span></tt> (#16436).</li> </ul> </div> <div class="section" id="s-backwards-incompatible-changes"> <span id="backwards-incompatible-changes"></span><h3>Backwards incompatible changes<a class="headerlink" href="#backwards-incompatible-changes" title="Permalink to this headline">¶</a></h3> <ul class="simple"> <li>The undocumented <tt class="docutils literal"><span class="pre">django.core.servers.basehttp.WSGIServerException</span></tt> has been removed. Use <tt class="docutils literal"><span class="pre">socket.error</span></tt> provided by the standard library instead.</li> </ul> </div> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.5.5 release notes</a><ul> <li><a class="reference internal" href="#readdressed-denial-of-service-via-password-hashers">Readdressed denial-of-service via password hashers</a></li> <li><a class="reference internal" href="#properly-rotate-csrf-token-on-login">Properly rotate CSRF token on login</a><ul> <li><a class="reference internal" href="#bugfixes">Bugfixes</a></li> <li><a class="reference internal" href="#backwards-incompatible-changes">Backwards incompatible changes</a></li> </ul> </li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.5.6.html">Django 1.5.6 release notes</a></li> <li>Next: <a href="1.5.4.html">Django 1.5.4 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.9 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.5.5 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.5.5.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Aug 21, 2014</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.5.6.html" title="Django 1.5.6 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.4.html" title="Django 1.5.4 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>