Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

June 01 2017

Django bugfix release: 1.11.2

Today we've issued the 1.11.2 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

May 06 2017

Django bugfix release: 1.11.1

Today we've issued the 1.11.1 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

April 25 2017

DjangoCon Europe 2017 in retrospect

DjangoCon Europe 2017 upheld all the traditions established by previous editions: a volunteer-run event, speakers from all sections of the community and a commitment to stage a memorable, enjoyable conference for all attendees.

Held in a stunning Art Deco cinema in the centre of the city, this year's edition was host to over 350 Djangonauts.

The team of always-smiling and willing volunteers, led by Emanuela Dal Mas and Iacopo Spalletti under the auspices of the Fuzzy Brains association, created a stellar success on behalf of all the community.

Of note in this year's conference was an emphasis on inclusion, as expressed in the conference's manifesto. The organisers' efforts to expand the notion of inclusion was visible in the number of attendees from Africa and south Asia, nearly all of whom were also given a platform at the event. This was made possible not only by the financial assistance programme but also through the considerable logistical help the organisers were able to offer.

The conference's opening keynote talk by Anna Makarudze and Humphrey Butau on the growing Python community in Zimbabwe, and an all-woman panel discussing their journeys in technology, were just two examples of a commitment to making more space for voices and stories that are less often heard.

DjangoCon Europe continues to thrive and sparkle in the hands of the people who care about it most, and who step forward each year as volunteers who commit hundreds of hours of their time to make the best possible success of it. Once again, this care has shone through.

On behalf of the whole Django community, the Django Software Foundation would like to thank the entire organising team and all the other volunteers of this year's DjangoCon Europe, for putting on a superb and memorable production.

The next DjangoCons in Europe

The DSF Board is considering bids for DjangoCon Europe 2018-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible.

April 04 2017

Django 1.11 released

The Django team is happy to announce the release of Django 1.11.

This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2017.

As always, the release notes cover the medley of new features in detail, but a few highlights are:

You can get Django 1.11 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

With the release of Django 1.11, Django 1.10 has reached the end of mainstream support. The final minor bugfix release (1.10.7) was issued today. Django 1.10 will receive security and data loss fixes for another eight months until December 2017.

Django 1.9 has reached the end of extended support. The final security release (1.9.13) was issued today. All Django 1.9 users are encouraged to upgrade to Django 1.10 or later.

See the downloads page for a table of supported versions and the future release schedule.

Django security releases issued: 1.10.7, 1.9.13, and 1.8.18

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be.

Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()

A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality.

Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.

Thanks Phithon Gong for reporting this issue.

Affected supported versions

  • Django master development branch
  • Django 1.11 (at release candidate status, final release forthcoming)
  • Django 1.10
  • Django 1.9
  • Django 1.8

Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series.

Resolution

Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the 1.11 release branch:

On the 1.10 release branch:

On the 1.9 release branch:

On the 1.8 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

March 30 2017

DjangoCon US 2017 Update

Tickets are on sale for DjangoCon US 2017 in Spokane, WA! We’re also looking for reviewers for our talk and tutorial proposals, and our CFP and financial aid application are closing soon.

Tickets Are on Sale

Tickets are now on sale! DjangoCon US has tiered pricing, and we put together a blog post with more details. We hope to see you in Spokane August 13-18.

Call for Reviewers

We’re looking for volunteers to help review talk and tutorial proposals. This will require a few hours of time from now until April 24. Reviewing talks only takes a couple of minutes per talk. Reviewers don’t need to review all talks and tutorials and don’t need to review them all in one day. Most people find that reviewing talks for 30 minutes at a time, once or twice a week, gets them through the talks pretty quickly. If you’re interested, please email hello@djangocon.us. Thank you to all of the awesome volunteers who have already signed up!

Call for Proposals Deadline

Our Call for Proposals (CFP) deadline is quickly approaching! April 10 at midnight Anywhere on Earth is the deadline to submit a talk or tutorial proposal. We would love to see a few more tutorial proposals (tutorials are compensated!). Please get in touch with us or our wonderful speaker mentors if you need help refining or expanding on an idea.

Financial Aid Deadline

The DjangoCon US financial aid application also closes on April 10. We have more information and FAQs about financial aid on our website. The application is short and sweet, so please apply today!

March 21 2017

Django 1.11 release candidate 1 released

Django 1.11 release candidate 1 is the final opportunity for you to try out the medley of new features before Django 1.11 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.11 final will be issued on or around April 4. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

March 01 2017

Django bugfix release: 1.10.6

Today we've issued the 1.10.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

February 20 2017

Django 1.11 beta 1 released

Django 1.11 beta 1 is an opportunity for you to try out the medley of new features in Django 1.11.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 1.11 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate about a month from now with the final release to follow about two weeks after that around April 1. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

February 13 2017

DjangoCon US 2017 Update: Call for Proposals, Mentorship, and Financial Aid Are Open!

In case you missed the news, DjangoCon US 2017 will take place in beautiful Spokane, Washington, from August 13-18, 2017! We’ll have more information on the venue and ticket sales soon, but we’re pleased to announce the following items.

Call for Proposals (CFP)

Our CFP for talks and tutorials is now open! The deadline for submissions is April 10, 2017. We’re looking for speakers of all experience levels and backgrounds. Talk and tutorial presenters also receive free admission to DjangoCon US.

Financial Aid Application

Grants to assist with your travel and lodging expenses are available as well. Our Financial Aid application is also now open. The deadline is April 10, 2017.

Seeking Speaker Mentors

Preparing and giving a talk at a conference is no small task, and it can be even more intimidating to first-time presenters. We're looking for encouraging people with talk or tutorial experience to volunteer to be mentors for this year's DjangoCon US 2017 speakers. Mentors provide encouragement and advice to participating presenters on an informal basis.

A good mentor should:

  • have previous speaking experience
  • ...or have previous experience giving tutorials
  • be familiar with how to propose a talk or tutorial
  • be able to help construct an effective, engaging talk
  • encourage first-time speakers, non-native English speakers, or anyone needing a little boost
  • be able to provide critique, advice, or refinements on a presentation

This is a strictly volunteer position with a small time commitment. It's so rewarding to help someone else kick off their speaking career!

If you'd like to help out as a mentor, please contact us and include a quick description of yourself, your speaking experience, and why you'd like to help.

January 25 2017

Call for Volunteers - Code of Conduct Committee

Happy New Year to the Django Community! As we begin 2017, many of us are reflecting on how to maintain safe, inclusive spaces within our communities. One meaningful way to do that is to serve on the Django Code of Conduct committee. In 2013, with input from the community, Django Core members and the DSF board developed a code of conduct, the purpose of which was explained by Alex Gaynor and Jacob Kaplan Moss:

“Why do we need a code of conduct? To best keep with some of our core values: documentation and 'explicit is better than implicit.' We want to maintain a vibrant, diverse, and technically excellent community, and we believe that a part of that is writing down the standards of behavior we hold ourselves to.”

As of May 2016, Committee members serve a six month fixed term. You will serve in a rotation of being “on-call” (via email) for a week at a time in order to respond to reports from the community. This is a great service to the Django community, particularly to those who are most at risk, and it is made more manageable when shared.

If you are interested in volunteering to serve a six-month term, please review the online documentation and procedures regarding the CofC Committee, then email conduct@djangoproject.com. Thank you for reading, and all the best in 2017!

January 18 2017

Django 1.11 alpha 1 released

Django 1.11 alpha 1 is now available. It represents the first stage in the 1.11 release cycle and is an opportunity for you to try out the changes coming in Django 1.11.

Django 1.11 has a medley of new features which you can read about in the in-development 1.11 release notes.

This alpha milestone marks a complete feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

January 07 2017

2017 DSF Board Election Results

We're happy to announce the winners of the DSF Board elections for 2017.

Frank Wiles, Daniele Procida, and James Bennett were re-elected for another term. Our new Board members are Kenneth Love, Ken W. Alger, and Rebecca Conley.

Rebecca, as you may be aware, served as Board Secretary during 2016 to fill a vacancy but will be returning again this year.

We wish to thank Christophe Pettus and Karen Tracey who did not run again this year for their service and the wisdom they brought to us.

The Board will be having our first meeting in the coming days to ratify the slate of officers at which time we'll update the website accordingly.

We look forward to another great year of helping further Django and the Django Community.

January 04 2017

Django bugfix release: 1.10.5

Today we've issued the 1.10.5 bugfix release. Happy New Year!

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

December 28 2016

Django Fellowship Program: 2016 retrospective

2016 concludes my second year working full-time to support the development of Django. Here are some highlights from my weekly summaries published on the django-developers mailing list.

On the infrastructure front, I keep Django's continuous integration servers running smoothly, including the pull request checks that help keep code quality high and allow reviewers to focus on less trivial concerns. I also upgraded the djangoproject.com website to Django 1.10 and contributed several patches to third-party dependencies. I moved two under-maintained community sites, Django People and Django Snippets, to the djangoproject GitHub organization and upgraded them to supported versions of Django.

In Django's ticket tracker, I triage around 10-15 new tickets each week. A working knowledge of the 1000+ accepted tickets allows me to quickly identify duplicate and related issues and steer contributors in the right direction.

I coordinate security releases by preparing patches and backporting them to all supported versions of Django. In 2016, seven security issues were promptly fixed over five releases.

Django 1.10 marked the third consecutive on-time major release. As the release manager, I send regular email updates on the status of release blockers to django-developers, and I fix blockers when no one else has time or interest.

The Django 1.11 alpha is scheduled for mid-January with the final release scheduled for April 1. Following the 1.11 alpha release, the master development branch will target Django 2.0 and drop support for Python 2.7. I'm excited to see the simplifications and improvements we'll be able to make as a result.

Over the Python 3.6 prerelease period, I ensured compatibility with the Django master branch, including contributing several fixes and improvements for Python.

I co-mentored a Google Summer of Code project by Akshesh Doshi to add support for class-based indexes. This work is included in Django 1.11. I also made the final push to finish the template-based widget rendering patch that Preston Timmons started several years ago, and this is also included in 1.11.

While working toward the 1.11 feature release, we've had monthly bug fix releases for the 1.10 branch that have fixed over 40 regressions or bugs in new features.

On the code review front, I review an average of fifteen non-trivial patches a week from community members. Providing timely code reviews helps prevent would-be contributors from abandoning us.

I hope that gives you a good taste of what I've been doing. As always, please encourage your employer to become a corporate member of the Django Software Foundation and consider a gift to the Django Software Foundation to allow the fellowship to continue. I'm grateful for this opportunity and for the community's support. Thank you!

December 22 2016

DSF announces winner of the 2016 Malcolm Tredinnick Memorial Prize

The Django Software Foundation (DSF) is proud to announce the winner of the 2016 Malcolm Tredinnick Memorial Prize: Aisha Bello!

Aisha (@AishaXBello) joined the Django community when she attended a Django Girls workshop during EuroPython in 2015. From that point on, Aisha's trajectory in the Django world was unstoppable.

She is not only a talented developer but her desire to keep learning and sharing her knowledge with others is simply inspiring.

She organized or helped organize a huge number of Django Girls workshop in her home country of Nigeria. Thanks to her, Nigeria is on its way to be the world-record holder of most Django Girls events organized.

She's coached at other Django Girls events, introducing even more people to our community.

She's spoken at several conferences (including PyCon Namibia and DjangoCon US) sharing her unique knowledge and insight with the rest of us.

You can read more about her and her history at Your Django Story: Meet Aisha Bello.

She embodies the values of the Malcolm Tredinnick prize and we can't wait to see what she will achieve in the future.

Congratulations Aisha!

December 04 2016

Presenting DjangoCon Europe 2017

2017’s DjangoCon Europe takes place against the gorgeous backdrop of Florence in the springtime. Once again the event will be organised by a local committee of volunteers on behalf of the global Django community.

The event will be held in the historic Odeon Cinema in the centre of the city. It’s an architectural gem, an Art Deco interior in a Renaissance palace.

Key points

Ticket sales are now open. Early-bird rates are available until the 17th January.

The call for proposals is open too, until the 31st December.

Generous financial assistance packages are offered, to help ensure that everyone who will benefit has the opportunity to attend.

The conference can even offer discounted public transport passes (see the tickets page) valid for the duration of the event, to help you get around the city.

The call for proposals

The programme of talks will represent the vibrant diversity of interests and endeavours across the Django community, including some that you had not only never heard of, but would not have imagined. The speaker roster will also feature some of the best-known names in the world of Django. There’ll be talks from those who are leading its development into the future, and about its deepest internals - discussions on the highest technical level.

The organisers invite proposals from all. Whatever your level of technical or speaking experience, you are invited to share what you know or have done with Django with your friends and colleagues in the community.

Both the speaker line-up and the selection of talks will be curated to offer a wide and representative balance, so the platform created by DjangoCon Europe 2017 will have room for everyone.

And just in case five days in Florence are not enough, PyCon Italia immediately follows DjangoCon Europe. You’re invited to submit your talk proposal to PyCon Italia too, in the same process, by ticking a single box on the form.

The ambitions of DjangoCon Europe 2017

The conference

Each successive DjangoCon Europe has advanced new ideas about how a conference should be run and has set new standards for itself. Just measuring up to past editions is challenge enough, but the organisers of 2017’s event have ambitions for it of their own, that also extend beyond this gathering of nearly 400 Djangonauts.

The Italian context

The organisers consider DjangoCon Europe 2017 an opportunity for the whole Italian Django community to use it as a launching pad for future organisation, development and activity, so that it makes a tangible and material difference to the open-source software community and industry in Italy.

The social context

The organisers want the event to harness the energy, know-how and organisation skills in the community, and put them to work in local organisations that work to advance social inclusion, in particular, amongst women from immigrant communities, who are disproportionately marginalised and excluded socially, technologically, economically and educationally.

Responsibility and sustainability

The Django community has always generally been conscious that its technology exists in a social context and not a vacuum.

The overall themes of this DjangoCon Europe are responsibility and sustainability: responsibility to others in our industry and of our industry’s responsibility to the wider world, and the sustainability - economic, personal and social - of the industry itself.

The conference invites its attendees to participate in these discussions, and to consider how our technology’s long-term viability depends on them as much as it does on the technical brilliance of its technologists.

A Django festival of ideas and collaboration

These are ambitions and aspirations. Their vehicle will be the international festival of community that each DjangoCon Europe represents, and reinvests with new energy each year. The organisers give you Florence in the springtime, a magnificent capital of history, culture, beauty and food, and the perfect foundation for building the future with Django.

Don’t miss it.

December 01 2016

Django bugfix release issued: 1.10.4, 1.9.12, 1.8.17

Today we've issued the 1.10.4, 1.9.12, and 1.8.17 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

July 08 2015

Security releases issued: 1.8.3, 1.7.9, 1.4.21

In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.21, 1.7.9, and 1.8.3. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

Denial-of-service possibility by filling session store

In previous versions of Django, the session backends created a new empty record in the session storage anytime request.session was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.

The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.

Thanks Eric Peterson and Lin Hua Cheng for reporting the issue.

This issue has been assigned the identifier CVE-2015-5143.

Header injection possibility since validators accept newlines in input

Some of Django's built-in validators (django.core.validators.EmailValidator, most seriously) didn't prohibit newline characters (due to the usage of $ instead of \Z in the regular expressions). If you use values with newlines in HTTP response or email headers, you can suffer from header injection attacks. Django itself isn't vulnerable because django.http.HttpResponse and the mail sending utilities in django.core.mail prohibit newlines in HTTP and SMTP headers, respectively. While the validators have been fixed in Django, if you're creating HTTP responses or email messages in other ways, it's a good idea to ensure that those methods prohibit newlines as well. You might also want to validate that any existing data in your application doesn't contain unexpected newlines.

django.core.validators.validate_ipv4_address(), django.core.validators.validate_slug(), and django.core.validators.URLValidator are also affected, however, as of Django 1.6 the GenericIPAddresseField, IPAddressField, SlugField, and URLField form fields which use these validators all strip the input, so the possibility of newlines entering your data only exists if you are using these validators outside of the form fields.

The undocumented, internally unused validate_integer() function is now stricter as it validates using a regular expression instead of simply casting the value using int() and checking if an exception was raised.

Thanks Sjoerd Job Postmus for reporting the issue.

This issue has been assigned the identifier CVE-2015-5144.

Denial-of-service possibility in URL validation

django.core.validators.URLValidator included a regular expression that was extremely slow to evaluate against certain inputs. This regular expression has been simplified and optimized.

Thanks João Silva and Ross Brunton for reporting the issue.

This issue has been assigned the identifier CVE-2015-5145.

Affected supported versions

  • Django master development branch
  • Django 1.8
  • Django 1.7 (except the URL DoS issue)
  • Django 1.4 (except the URL DoS issue)

Per our supported versions policy, Django 1.5 and 1.6 are no longer receiving security updates.

Resolution

Patches have been applied to Django's master development branch and to the 1.4, 1.7, and 1.8 release branches, which resolve the issues described above. The patches may be obtained directly from the following changesets:

On the development master branch:

On the 1.8 release branch:

On the 1.7 release branch:

On the 1.4 release branch:

The following new releases have been issued:

Note: The first 1.7.9 wheel file that we uploaded was corrupt (it contained some files from 1.8). A corrected file was uploaded about 2 hours after the initial release.

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

June 29 2015

Security advisory: simple_tag does not do auto-escaping

As per our documentation, the simple_tag decorator used for creating custom template tags does not run auto-escaping on its contents (up to and including Django 1.8). The team has noticed, however, that this makes it very easy to introduce XSS vulnerabilities when using simple_tag, and we have found examples of vulnerable code in the wild.

For this reason, Django 1.9 will change this behavior to improve security. In the mean time, all users are encouraged to check every usage of simple_tag in their own template tags and ensure they are not vulnerable, as per the instructions in the 1.9 release notes.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl