Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

November 04 2019

Django bugfix releases issued: 2.2.7, 2.1.14, and 1.11.26

Today we've issued 2.2.7, 2.1.14, and 1.11.26 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

October 24 2019

2020 DSF Board Nominations

It is that time of year again to think about next year’s Django Software Foundation’s Board of Directors!

As you know, the Board guides the direction of the marketing, governance and outreach activities of the Django community. We provide funding, resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work closely with our corporate and individual members to raise funds to help support our great community.

In order for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of volunteers who are elected to one year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. For the most part, the time commitment is a few hours per month. There has been some confusion on this in the past, but anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all.

If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the application form by Friday, November 22nd, 2019 to be considered. If it is still the 22nd of November somewhere in the world, applications will remain open.

If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to foundation@djangoproject.com and one of us will get back with you shortly.

Thank you for your time and we look forward to working with you in 2020.

The 2019 DSF Board of Directors

Application Form.

October 22 2019

Nominations for 2019 Malcolm Tredinnick Memorial Prize

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm.

Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him.

The DSF Prize page summarizes the prize nicely:

The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

We will take nominations until Friday, November 8th AoE and will announce the winner soon after. Please make your nominations using this google form.

If you have any questions please reach out to the DSF Board at foundation@djangoproject.com.

October 14 2019

Django 3.0 beta 1 released

Django 3.0 beta 1 is now available. It represents the second stage in the 3.0 release cycle and is an opportunity for you to try out the changes coming in Django 3.0.

Django 3.0 has a raft of new features which you can read about in the in-development 3.0 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 3.0 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around December 2. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all beta and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

October 01 2019

Django bugfix releases: 2.2.6, 2.1.13 and 1.11.25

Today we've issued the 2.2.6, 2.1.13, and 1.11.25 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

September 10 2019

Django 3.0 alpha 1 released

Django 3.0 alpha 1 is now available. It represents the first stage in the 3.0 release cycle and is an opportunity for you to try out the changes coming in Django 3.0.

Django 3.0 has a raft of new features which you can read about in the in-development 3.0 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

September 02 2019

Django bugfix releases issued: 2.2.5, 2.1.12, and 1.11.24

Today we've issued 2.2.5, 2.1.12, and 1.11.24 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

August 01 2019

Django security releases issued: 2.2.4, 2.1.11 and 1.11.23

In accordance with our security release policy, the Django team is issuing Django 1.11.23, Django 2.1.11, and Django 2.2.4. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Guido Vranken and Sage M. Abdullah for reporting these issues.

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.4
  • Django 2.1 before version 2.1.11
  • Django 1.11 before version 1.11.23

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the Django 2.2 release branch:

On the Django 2.1 release branch:

On the Django 1.11 release branch:

The following releases have been issued:

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

July 20 2019

The first PyCon Africa

In just a few weeks, from the 6th to 10th of August, the first ever pan-African PyCon will take place in Accra, Ghana.

PyCon Africa 2019 is an amazing step for the rapidly growing Python community in Africa.

Django at PyCon Africa

Django will be well represented with a Django Girls workshop, several talks, and many members of the Django Software Foundation in attendance.

Numerous DSF members have attended Python events in Africa in the past, and we're excited to see the conference come to fruition. May it be the first of many!

The DSF is one of PyCon Africa's sponsors, passing on some of the donations it has received to help with its goals of supporting community development across the world.

Sponsorship

It's thanks to its sponsors that the event can go ahead. All the basic costs of the event are now covered and attendees from many African countries will be represented. However, the organisers are looking for further sponsorship for the financial assistance programme.

Travel, even within Africa and to a well-connected city like Accra, is expensive and difficult for many Africans. Entry visas to Ghana can cost $100-200 per person, which when combined with other expenses puts the event out of the range of a lot of potential attendees.

There's an opportunity here.

Sponsoring PyCon Africa means more people from across Africa will be able to attend, strengthening the network of the African Python community and building its expertise. We’ve already seen the results of this engagement within Python, as African Pythonistas have advanced in their careers and contributed back to the software and the community (just for example, Anna Makarudze from Zimbabwe serves on the Django Software Foundation board, as Vice President of the DSF itself).

Companies interested in sponsorship should get in touch with the organising team via the website. Individuals can also contribute to the financial assistance fund via the GoFundMe page.

You can read more about the conference on the official website. Also Noah Alorwu and Abigail Mesrenyame Dogbe, two of the organizers, gave a great talk at DjangoCon Europe this year about developing their community - including an announcement for the first DjangoCon Africa next year!

July 03 2019

DjangoCon Australia 2019: Tickets on sale 🎟️

For the 7th year running, DjangoCon Australia is coming up on August 2nd. Just like last year, the sibling conference to DjangoCons EU and US, is on in Sydney at the International Convention Centre.

DjangoCon Australia is a one-day event, organized as a specialist track as part of PyCon AU. Packed with talks about best practices, communities, contributions, and the present and future of Django, DjangoCon Australia 2019 will be bigger than ever.

There are still tickets available for DjangoCon Australia and PyCon AU. You can join for one day with tickets starting at AU$150 for just the DjangoCon AU day, or AU$490 for all three days. We also have significant discounts for student attendees, and we also have Contributor ✨ tickets for those who want to help financially support the conference.

The schedule for DjangoCon Australia and all of PyCon AU is already live, so take a look at what we have in store.

Buy your ticket before July 9 to ensure you get one of the famous PyCon AU t-shirts in a size that fits you. Shirts for DjangoCon Australia will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Leigh Brenecki, Markus Holtermann, DjangoCon Australia organizers

July 02 2019

DjangoCon US 2019 Schedule Is Live 🎉

We are a little over two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many excellent proposals, and the reviewers and program team had a difficult job choosing the final talks and tutorials. Thank you to everyone who submitted a proposal or helped to review.

Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select.

We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets. In other program news, this year, the third day of talks will be a single-track slate of deep-dive topics in Django. We’ll be covering async, authentication, generic views, model inheritance, using Django as a micro-framework, and WASM.

DjangoCon US will be held September 22-27 at the beautiful San Diego Marriott Mission Valley. Our hotel block rate expires August 21, but rooms are selling quickly, so reserve your room today. If you’re interested in sharing a room, we have information on that as well. We hope to see you in San Diego!

July 01 2019

Django security releases issued: 2.2.3, 2.1.10 and 1.11.22

In accordance with our security release policy, the Django team is issuing Django 1.11.22, Django 2.1.10, and Django 2.2.3. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Gavin Wahl for reporting this issue.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme, is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.3
  • Django 2.1 before version 2.1.10
  • Django 1.11 before version 1.11.22

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

June 03 2019

Django security releases issued: 2.2.2, 2.1.9 and 1.11.21

In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9
  • Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend().

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9

Resolution

Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the master branch:

On the 2.2 release branch:

On the 2.1 release branch:

On the 1.11 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

May 15 2019

Unauthenticated Remote Code Execution on djangoci.com

Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation's Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release branches. In this blog post, the teams want to outline the course of events.

Impact

The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker.

Timeline

On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django's Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code.

At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC.

At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach.

At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case.

At 15:44 UTC, Jenkins started running tests against GitHub pull requests again.

At 16:00 UTC, the Operations team discussed the necessity of revoking various Let's Encrypt certificates or keys. However, since there was no indication that either the account or the certificate's private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let's Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server.

At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com or HackerOne, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

August 01 2019

Django security releases issued: 2.2.4, 2.1.11 and 1.11.23

In accordance with our security release policy, the Django team is issuing Django 1.11.23, Django 2.1.11, and Django 2.2.4. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Guido Vranken and Sage M. Abdullah for reporting these issues.

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.4
  • Django 2.1 before version 2.1.11
  • Django 1.11 before version 1.11.23

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the Django 2.2 release branch:

On the Django 2.1 release branch:

On the Django 1.11 release branch:

The following releases have been issued:

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

July 20 2019

The first PyCon Africa

In just a few weeks, from the 6th to 10th of August, the first ever pan-African PyCon will take place in Accra, Ghana.

PyCon Africa 2019 is an amazing step for the rapidly growing Python community in Africa.

Django at PyCon Africa

Django will be well represented with a Django Girls workshop, several talks, and many members of the Django Software Foundation in attendance.

Numerous DSF members have attended Python events in Africa in the past, and we're excited to see the conference come to fruition. May it be the first of many!

The DSF is one of PyCon Africa's sponsors, passing on some of the donations it has received to help with its goals of supporting community development across the world.

Sponsorship

It's thanks to its sponsors that the event can go ahead. All the basic costs of the event are now covered and attendees from many African countries will be represented. However, the organisers are looking for further sponsorship for the financial assistance programme.

Travel, even within Africa and to a well-connected city like Accra, is expensive and difficult for many Africans. Entry visas to Ghana can cost $100-200 per person, which when combined with other expenses puts the event out of the range of a lot of potential attendees.

There's an opportunity here.

Sponsoring PyCon Africa means more people from across Africa will be able to attend, strengthening the network of the African Python community and building its expertise. We’ve already seen the results of this engagement within Python, as African Pythonistas have advanced in their careers and contributed back to the software and the community (just for example, Anna Makarudze from Zimbabwe serves on the Django Software Foundation board, as Vice President of the DSF itself).

Companies interested in sponsorship should get in touch with the organising team via the website. Individuals can also contribute to the financial assistance fund via the GoFundMe page.

You can read more about the conference on the official website. Also Noah Alorwu and Abigail Mesrenyame Dogbe, two of the organizers, gave a great talk at DjangoCon Europe this year about developing their community - including an announcement for the first DjangoCon Africa next year!

July 03 2019

DjangoCon Australia 2019: Tickets on sale 🎟️

For the 7th year running, DjangoCon Australia is coming up on August 2nd. Just like last year, the sibling conference to DjangoCons EU and US, is on in Sydney at the International Convention Centre.

DjangoCon Australia is a one-day event, organized as a specialist track as part of PyCon AU. Packed with talks about best practices, communities, contributions, and the present and future of Django, DjangoCon Australia 2019 will be bigger than ever.

There are still tickets available for DjangoCon Australia and PyCon AU. You can join for one day with tickets starting at AU$150 for just the DjangoCon AU day, or AU$490 for all three days. We also have significant discounts for student attendees, and we also have Contributor ✨ tickets for those who want to help financially support the conference.

The schedule for DjangoCon Australia and all of PyCon AU is already live, so take a look at what we have in store.

Buy your ticket before July 9 to ensure you get one of the famous PyCon AU t-shirts in a size that fits you. Shirts for DjangoCon Australia will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Leigh Brenecki, Markus Holtermann, DjangoCon Australia organizers

July 02 2019

DjangoCon US 2019 Schedule Is Live 🎉

We are a little over two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many excellent proposals, and the reviewers and program team had a difficult job choosing the final talks and tutorials. Thank you to everyone who submitted a proposal or helped to review.

Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select.

We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets. In other program news, this year, the third day of talks will be a single-track slate of deep-dive topics in Django. We’ll be covering async, authentication, generic views, model inheritance, using Django as a micro-framework, and WASM.

DjangoCon US will be held September 22-27 at the beautiful San Diego Marriott Mission Valley. Our hotel block rate expires August 21, but rooms are selling quickly, so reserve your room today. If you’re interested in sharing a room, we have information on that as well. We hope to see you in San Diego!

July 01 2019

Django security releases issued: 2.2.3, 2.1.10 and 1.11.22

In accordance with our security release policy, the Django team is issuing Django 1.11.22, Django 2.1.10, and Django 2.2.3. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Thanks Gavin Wahl for reporting this issue.

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.

HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.

If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme, is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT.

Affected supported versions

  • Django master development branch
  • Django 2.2 before version 2.2.3
  • Django 2.1 before version 2.1.10
  • Django 1.11 before version 1.11.22

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

June 03 2019

Django security releases issued: 2.2.2, 2.1.9 and 1.11.21

In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9
  • Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend().

Affected versions

  • Django master development branch
  • Django 2.2 before version 2.2.2
  • Django 2.1 before version 2.1.9

Resolution

Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:

On the master branch:

On the 2.2 release branch:

On the 2.1 release branch:

On the 1.11 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl