==========================Django 1.5.4 release notes==========================*September 14, 2013*This is Django 1.5.4, the fourth release in the Django 1.5 series. It addressestwo security issues and one bug.Denial-of-service via password hashers======================================In previous versions of Django, no limit was imposed on the plaintextlength of a password. This allowed a denial-of-service attack throughsubmission of bogus but extremely large passwords, tying up serverresources performing the (expensive, and increasingly expensive withthe length of the password) calculation of the corresponding hash.As of 1.5.4, Django's authentication framework imposes a 4096-bytelimit on passwords, and will fail authentication with any submittedpassword of greater length.Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin=========================================================================================================================The decoration of the ``add_view`` and ``user_change_password`` user adminviews with :func:`~django.views.decorators.debug.sensitive_post_parameters`did not include :func:`~django.utils.decorators.method_decorator` (requiredsince the views are methods) resulting in the decorator not being properlyapplied. This usage has been fixed and:func:`~django.views.decorators.debug.sensitive_post_parameters` will nowthrow an exception if it's improperly used.Bugfixes========* Fixed a bug that prevented a ``QuerySet`` that uses:meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickledand unpickled more than once (the second pickling attempt raised anexception) (#21102).