Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

October 01 2019

Django bugfix releases: 2.2.6, 2.1.13 and 1.11.25

Today we've issued the 2.2.6, 2.1.13, and 1.11.25 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

September 10 2019

Django 3.0 alpha 1 released

Django 3.0 alpha 1 is now available. It represents the first stage in the 3.0 release cycle and is an opportunity for you to try out the changes coming in Django 3.0.

Django 3.0 has a raft of new features which you can read about in the in-development 3.0 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

September 02 2019

Django bugfix releases issued: 2.2.5, 2.1.12, and 1.11.24

Today we've issued 2.2.5, 2.1.12, and 1.11.24 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

August 01 2019

Django security releases issued: 2.2.4, 2.1.11 and 1.11.23

In accordance with our security release policy, the Django team is issuing Django 1.11.23, Django 2.1.11, and Django 2.2.4. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Guido Vranken and Sage M. Abdullah for reporting these issues.

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.4
  • Django 2.1 before version 2.1.11
  • Django 1.11 before version 1.11.23

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the Django 2.2 release branch:

On the Django 2.1 release branch:

On the Django 1.11 release branch:

The following releases have been issued:

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

July 20 2019

The first PyCon Africa

In just a few weeks, from the 6th to 10th of August, the first ever pan-African PyCon will take place in Accra, Ghana.

PyCon Africa 2019 is an amazing step for the rapidly growing Python community in Africa.

Django at PyCon Africa

Django will be well represented with a Django Girls workshop, several talks, and many members of the Django Software Foundation in attendance.

Numerous DSF members have attended Python events in Africa in the past, and we're excited to see the conference come to fruition. May it be the first of many!

The DSF is one of PyCon Africa's sponsors, passing on some of the donations it has received to help with its goals of supporting community development across the world.

Sponsorship

It's thanks to its sponsors that the event can go ahead. All the basic costs of the event are now covered and attendees from many African countries will be represented. However, the organisers are looking for further sponsorship for the financial assistance programme.

Travel, even within Africa and to a well-connected city like Accra, is expensive and difficult for many Africans. Entry visas to Ghana can cost $100-200 per person, which when combined with other expenses puts the event out of the range of a lot of potential attendees.

There's an opportunity here.

Sponsoring PyCon Africa means more people from across Africa will be able to attend, strengthening the network of the African Python community and building its expertise. We’ve already seen the results of this engagement within Python, as African Pythonistas have advanced in their careers and contributed back to the software and the community (just for example, Anna Makarudze from Zimbabwe serves on the Django Software Foundation board, as Vice President of the DSF itself).

Companies interested in sponsorship should get in touch with the organising team via the website. Individuals can also contribute to the financial assistance fund via the GoFundMe page.

You can read more about the conference on the official website. Also Noah Alorwu and Abigail Mesrenyame Dogbe, two of the organizers, gave a great talk at DjangoCon Europe this year about developing their community - including an announcement for the first DjangoCon Africa next year!

July 03 2019

DjangoCon Australia 2019: Tickets on sale 🎟️

For the 7th year running, DjangoCon Australia is coming up on August 2nd. Just like last year, the sibling conference to DjangoCons EU and US, is on in Sydney at the International Convention Centre.

DjangoCon Australia is a one-day event, organized as a specialist track as part of PyCon AU. Packed with talks about best practices, communities, contributions, and the present and future of Django, DjangoCon Australia 2019 will be bigger than ever.

There are still tickets available for DjangoCon Australia and PyCon AU. You can join for one day with tickets starting at AU$150 for just the DjangoCon AU day, or AU$490 for all three days. We also have significant discounts for student attendees, and we also have Contributor ✨ tickets for those who want to help financially support the conference.

The schedule for DjangoCon Australia and all of PyCon AU is already live, so take a look at what we have in store.

Buy your ticket before July 9 to ensure you get one of the famous PyCon AU t-shirts in a size that fits you. Shirts for DjangoCon Australia will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Leigh Brenecki, Markus Holtermann, DjangoCon Australia organizers

July 02 2019

DjangoCon US 2019 Schedule Is Live 🎉

We are a little over two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many excellent proposals, and the reviewers and program team had a difficult job choosing the final talks and tutorials. Thank you to everyone who submitted a proposal or helped to review.

Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select.

We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets. In other program news, this year, the third day of talks will be a single-track slate of deep-dive topics in Django. We’ll be covering async, authentication, generic views, model inheritance, using Django as a micro-framework, and WASM.

DjangoCon US will be held September 22-27 at the beautiful San Diego Marriott Mission Valley. Our hotel block rate expires August 21, but rooms are selling quickly, so reserve your room today. If you’re interested in sharing a room, we have information on that as well. We hope to see you in San Diego!

July 01 2019

Django security releases issued: 2.2.3, 2.1.10 and 1.11.22

In accordance with our security release policy, the Django team is issuing Django 1.11.22, Django 2.1.10, and Django 2.2.3. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Gavin Wahl for reporting this issue.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme, is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.3
  • Django 2.1 before version 2.1.10
  • Django 1.11 before version 1.11.22

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

June 03 2019

Django security releases issued: 2.2.2, 2.1.9 and 1.11.21

In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9
  • Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend().

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9

Resolution

Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the master branch:

On the 2.2 release branch:

On the 2.1 release branch:

On the 1.11 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

May 15 2019

Unauthenticated Remote Code Execution on djangoci.com

Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation's Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release branches. In this blog post, the teams want to outline the course of events.

Impact

The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker.

Timeline

On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django's Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code.

At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC.

At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach.

At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case.

At 15:44 UTC, Jenkins started running tests against GitHub pull requests again.

At 16:00 UTC, the Operations team discussed the necessity of revoking various Let's Encrypt certificates or keys. However, since there was no indication that either the account or the certificate's private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let's Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server.

At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com or HackerOne, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

August 01 2018

DjangoCon US 2018 Schedule Is Live

We are almost two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many phenomenal proposals, and the reviewers and program team had a difficult job choosing the final talks and tutorials. We think you will love them as much as we do. Thank you to everyone who submitted a proposal or helped to review.

Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select. We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets.

DjangoCon US will be held October 14-19 at the lovely San Diego Marriott Mission Valley. Our hotel block rate expires September 13, but rooms are going fast, so reserve your room today!

Django 2.1 released

The Django team is happy to announce the release of Django 2.1.

The release notes cover the smorgasbord of new features in detail, the model “view” permission is a highlight that many will appreciate.

You can get Django 2.1 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

With the release of Django 2.1, Django 2.0 has reached the end of mainstream support. The final minor bug fix release (which is also a security release), 2.0.8, was issued today. Django 2.0 will receive security and data loss fixes until April 2019. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future release schedule.

Django security releases issued: 2.0.8 and 1.11.15

In accordance with our security release policy, the Django team is issuing Django 1.11.15 and Django 2.0.8. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Thanks Andreas Hug for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.1 (which will be released in a separate blog post later today)
  • Django 2.0
  • Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

July 18 2018

Django 2.1 release candidate 1 released

Django 2.1 release candidate 1 is the final opportunity for you to try out the smorgasbord of new features before Django 2.1 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 2.1 will be released on or around August 1. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

July 15 2018

DjangoCon AU 2018: Tickets on sale

DjangoCon Australia, the cute little sibling conference to DjangoCons EU and US, is on again next month in sunny Sydney.

A one-day event packed full of content, DjangoCon AU is run as a Specialist Track – a dedicated one-day, one track “mini conference” – inside PyCon AU.

Tickets for DjangoCon AU and PyCon AU are now on sale. If you can only join us for one day, you can get a ticket for just DjangoCon AU for only AU$150. But, if you’d like to make a long weekend of it, tickets for the full event – DjangoCon AU on the Friday, and PyCon AU on the Saturday and Sunday – are available starting from AUD$440. As part of our ongoing commitment to ensuring as many people can get to PyCon AU as possible, there are generous discounts for students, and Contributor ✨ Tickets that directly help fill the financial assistance pool of funds.

The talks lists for DjangoCon AU and all of PyCon AU are already live, so take a look at what we have in store.

Buy your tickets by August 7 2018 to ensure you get the a coveted PyCon AU t-shirt. Shirts for DjangoCon AU will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Katie McLaughlin, PyCon AU Conference Director, DSF Board

July 02 2018

Django bugfix releases: 2.0.7 and 1.11.14

Today we've issued the 2.0.7 and 1.11.14 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

June 18 2018

Django 2.1 beta 1 released

Django 2.1 beta 1 is now available. It represents the second stage in the 2.1 release cycle and is an opportunity for you to try out the changes coming in Django 2.1.

Django 2.1 has a smorgasbord of new features which you can read about in the in-development 2.1 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 2.1 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around August 1. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all beta and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

June 07 2018

DjangoCon Europe 2018 - thank you

On behalf of the everyone who benefits from the Django Project, the DSF would like to thank the organisers of DjangoCon Europe 2018 for the oustanding efforts they made to ensure that the event was a success for the whole community.

The organising team, and above all Raphael Michel and Tobias Kunze, who led the event every step of the way from the moment it was first proposed a year ago, gave us a DjangoCon that could not have been bettered.

It's important to remember that all the organisers were unpaid volunteers, who gave their time and energy freely and with generosity. During the event they were assisted by other volunteers, who performed a valuable role taking care of conference necessities such as networking and video recording.

As we have now come to expect from a DjangoCon Europe, the venue was an ideal setting (the beautiful Stadthalle on the Neckar), the catering and hospitality were of a very high standard and the conference programme met every requirement for a keystone event.

We're especially grateful for the unstinting and thoughtful care that was put into all the small details of the conference, and which helped guarantee it was going to be a DjangoCon that everyone could remember for the right reasons.

We are proud to have our community represented by events of this kind.

The next DjangoCons in Europe

The DSF Board is considering bids for DjangoCon Europe 2019-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible.

June 01 2018

Django bugfix release: 2.0.6

Today we've issued the 2.0.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

May 18 2018

Django 2.1 alpha 1 released

Django 2.1 alpha 1 is now available. It represents the first stage in the 2.1 release cycle and is an opportunity for you to try out the changes coming in Django 2.1.

Django 2.1 has a smorgasbord of new features which you can read about in the in-development 2.1 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl