Django

We are happy to announce that DjangoCon Europe 2020 will take place in Porto, Portugal 🇵🇹! The website is already online at 2020.djangocon.eu and it will be kept up to date with the latest updates. Don't forget to follow @djangoconeurope on Twitter. ... [More] The dates are already confirmed (don't rush into buying everything so soon because we'll have discounts for DjangoCon attendees!): Conference: May 27-29 (Wednesday-Friday) Sprints/Workshops: May 30 and 31 (Saturday and Sunday) There is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference. Here are some themes and examples of activities and responsibilities that we seek help with: Communications: Press, community relations, announcements, social media, attendee tools, volunteer coordination Support and hospitality: Helpdesk, attendee support contact, visa help, travel management, chat support for attendees, on-site volunteer organization, speaker support Financial Aid: Setup, grant selection, aid organization Sponsors: Outreach to companies, organizing their logistics at the event and other types of visibility Program: Committee work, talk selection, scheduling, session chairs, sprint/open space/keynote/lightning talks session organization Code of Conduct: Drafting documents, handling of requests and issues Diversity advocate: Accessibility considerations, outreach on-site Join us regardless of your prior experience: this is also an opportunity to learn! In other words, you don't have to be an expert to join. Neither are we experts in hosting such a big event … yet! Your location prior to the event is not significant. We can do all things that need to be done in Porto ourselves. The only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. The official language of all these prior activities will be English, as well as the conference itself. Don't be shy 😊. For any inquiries you can email us at 2020@djangocon.eu or chat with us on Slack at DjangoConEurope2020. [Less]

Today we've issued the 3.0.2 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

In accordance with our security release policy, the Django team is issuing Django 3.0.1, Django 2.2.9 and Django 1.11.27. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. These ... [More] releases are also issued outside of our normal bugfix/release schedule, and did not have the usual one-week prenotification period. By the time the Django security team was made aware of this security issue, its mechanics were already public knowledge, and it was judged best to issue new releases of Django immediately. CVE-2019-19844: Potential account hijack via password reset form Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account. To resolve this, two changes were made in Django: After retrieving a list of potentially-matching accounts from the database, Django's password reset functionality now also checks the email address for equivalence in Python, using the recommended identifier-comparison process from Unicode Technical Report 36, section 2.11.2(B)(2). When generating password-reset emails, Django now sends to the email address retrieved from the database, rather than the email address submitted in the password-reset request form. This issue was brought to the attention of the Django security team by Simon Charette, who became aware of it after reading a public disclosure of a similar issue which affected GitHub. Affected supported versions Django master branch Django 3.0 Django 2.2 Django 1.11 Resolution Patches to resolve the issue have been applied to Django's master branch and the 3.0, 2.2, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch On the 3.0 release branch On the 2.2 release branch On the 1.11 release branch The following releases have been issued: Django 3.0.1 (download Django 3.0.1 | 3.0.1 checksums) Django 2.2.9 (download Django 2.2.9 | 2.2.9 checksums) Django 1.11.27 (download Django 1.11.27 | 1.11.27 checksums) The PGP key ID used for these releases is Mariusz Felisiak: 2EF56372BA48CD1B. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. As noted above, because the underlying cause of this issue was already publicly known, these releases were issued without the usual prenotification process. [Less]

The Board of the Django Software Foundation is pleased to announce that the 2019 Malcolm Tredinnick Memorial Prize has been awarded to Jeff Triplett (@webology). Jeff has been heavily involved in the Django Community basically since there was a ... [More] Django Community. He's served on the Code of Conduct committee for many years but most notably Jeff helped found DEFNA which has run DjangoCon US since 2015. Jeff is also a Board Member of the Python Software Foundation. Sara Gore, who nominated Jeff, gave this as her main reason for nominating Jeff: Jeff has served the Django community through the DSF, DEFNA, and the PSF. He turned DjangoCon US into the amazing volunteer run conference that it is today, and mentored many conference organizers and junior developers. He is a true ally who stands up for people in our community. The other nominees this year were: Trey Hunner Timothy Allen Mariusz Felisiak William Vincent Every year we receive many nominations and it's always hard to pick the winner. In fact, some people like Jeff have been nominated in multiple years. Malcolm would be very proud of the legacy he has fostered in our community! Congratulations Jeff! [Less]

Our 2020 Django Software Foundation Election results are in. The Top 7 candidates are listed below in order of their ranking: Frank Wiles Anna Makarudze James Bennett William Vincent Kátia Nakamura Aaron Bassett Sayantika Banik Our new board will ... [More] take over at the next board meeting where officer positions will be set. Congratulations to the winners and a special thank you to all that stood for this years election. I would also like to extend a since thanks to retiring Board Members Jessica Deaton, Katie McLaughlin, and Catherine Holmes. Your hard work and dedication is appreciated! [Less]

The Django team is happy to announce the release of Django 3.0. The release notes cover the raft of new features in detail, but a few highlights are: Django 3.0 begins our journey to making Django fully async-capable by providing support for running ... [More] as an ASGI application. Django now officially supports MariaDB 10.1 and higher. Custom enumeration types TextChoices, IntegerChoices, and Choices are now available as a way to define model field choices. You can get Django 3.0 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00. With the release of Django 3.0, Django 2.2 has reached the end of mainstream support. The final minor bug fix release (which is also a security release), 2.2.8, was issued today. Django 2.2 is an LTS release and will receive security and data loss fixes until April 2022. All users are encouraged to upgrade before then to continue receiving fixes for security issues. Django 2.1 has reached the end of extended support. All Django 2.1 users are encouraged to upgrade to Django 2.2 or later to continue receiving fixes for security issues. See the downloads page for a table of supported versions and the future release schedule. [Less]

In accordance with our security release policy, the Django team is issuing Django 2.2.8 and Django 2.1.15. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2019-19118: ... [More] Privilege escalation in the Django admin. Since Django 2.1, a Django model admin displaying a parent model with related model inlines, where the user has view-only permissions to a parent model but edit permissions to the inline model, would display a read-only view of the parent model but editable forms for the inline. Submitting these forms would not allow direct edits to the parent model, but would trigger the parent model's save() method, and cause pre and post-save signal handlers to be invoked. This is a privilege escalation as a user who lacks permission to edit a model should not be able to trigger its save-related signals. To resolve this issue, the permission handling code of the Django admin interface has been changed. Now, if a user has only the "view" permission for a parent model, the entire displayed form will not be editable, even if the user has permission to edit models included in inlines. This is a backwards-incompatible change, and the Django security team is aware that some users of Django were depending on the ability to allow editing of inlines in the admin form of an otherwise view-only parent model. Given the complexity of the Django admin, and in-particular the permissions related checks, it is the view of the Django security team that this change was necessary: that it is not currently feasible to maintain the existing behavior whilst escaping the potential privilege escalation in a way that would avoid a recurrence of similar issues in the future, and that would be compatible with Django's safe by default philosophy. For the time being, developers whose applications are affected by this change should replace the use of inlines in read-only parents with custom forms and views that explicitly implement the desired functionality. In the longer term, adding a documented, supported, and properly-tested mechanism for partially-editable multi-model forms to the admin interface may occur in Django itself. Thank you to Shen Ying for reporting this issue. Affected supported versions Django master branch Django 3.0 (which will be released in a separate blog post later today) Django 2.2 Django 2.1 Resolution Patches to resolve the issue have been applied to Django's master branch and the 3.0, 2.2, and 2.1 release branches. The patches may be obtained from the following changesets: On the master branch On the 3.0 release branch On the 2.2 release branch On the 2.1 release branch The following releases have been issued: Django 2.2.8 (download Django 2.2.8 | 2.2.8 checksums) Django 2.1.15 (download Django 2.1.15 | 2.1.15 checksums) The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

Following the huge success of PyCon Africa, the Django community in Africa is ready to bring a new major software event to the continent - the very first DjangoCon Africa! The Django Software Foundation is excited to endorse and support this ... [More] initiative. Plans are already in motion for a DjangoCon Africa to be held in Addis Ababa, Ethiopia in November 2020. Actual dates to be announced as soon as key details are in place. DjangoCon Africa will include 3 days of single-track talks, 1 day of workshops and sprints, and another day for touring for international visitors. The event will also include a Django Girls workshop to be held the weekend before DjangoCon Africa. To make the conference as inclusive as possible, the event will offer financial aid to members of under-represented communities in software to ensure they can also attend. The CFP, which is open to all, will also be announced as soon as key details are in place. About Ethiopia Ethiopia is a country in North East of Africa, commonly known as the Horn of Africa. It is a country with a rich history and many historical places to visit. The country is highly accessible to all, with African Union members having the option of applying for visa on arrival at Bole International Airport or applying for an e-visa like the rest of the world before traveling to Ethiopia. The country also boasts of the largest airline in the whole of Africa, with the country’s airline, Ethiopian Airlines having 53 routes in Africa, 17 in Europe, 7 in the Americas, 14 in Asia and 10 in the Middle East. This makes this country very accessible to all of Africa and the rest of the world and hence an ideal location for the first DjangoCon Africa. See you in Addis Ababa in November 2020 for the first ever DjangoCon Africa! [Less]

Django 3.0 release candidate 1 is the final opportunity for you to try out the raft of new features before Django 3.0 is released. The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no ... [More] major bugs are discovered that can't be solved in the next two weeks, Django 3.0 will be released on or around December 2. Any delays will be communicated on the django-developers mailing list thread. Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B. [Less]

Today we've issued 2.2.7, 2.1.14, and 1.11.26 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.