Django

Today we've issued the 1.11.3 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

We are less than two months away from DjangoCon US in Spokane, WA, and we are pleased to announce that our schedule is live! We received an amazing number of excellent proposals, and the reviewers and program team had a difficult job choosing the ... [More] final talks. We think you will love them. Thank you to everyone who submitted a proposal or helped to review them. Tickets for the conference are still on sale! Check out our website for more information on which ticket type to select. We have also announced our tutorials. They are $150 each, and may be purchased at the same place as the conference tickets. DjangoCon US will be held August 13-18 at the gorgeous Hotel RL in downtown Spokane. Our hotel block rate expires July 11, so reserve your room today! [Less]

Today we've issued the 1.11.2 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

Today we've issued the 1.11.1 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

DjangoCon Europe 2017 upheld all the traditions established by previous editions: a volunteer-run event, speakers from all sections of the community and a commitment to stage a memorable, enjoyable conference for all attendees. Held in a stunning Art ... [More] Deco cinema in the centre of the city, this year's edition was host to over 350 Djangonauts. The team of always-smiling and willing volunteers, led by Emanuela Dal Mas and Iacopo Spalletti under the auspices of the Fuzzy Brains association, created a stellar success on behalf of all the community. Of note in this year's conference was an emphasis on inclusion, as expressed in the conference's manifesto. The organisers' efforts to expand the notion of inclusion was visible in the number of attendees from Africa and south Asia, nearly all of whom were also given a platform at the event. This was made possible not only by the financial assistance programme but also through the considerable logistical help the organisers were able to offer. The conference's opening keynote talk by Anna Makarudze and Humphrey Butau on the growing Python community in Zimbabwe, and an all-woman panel discussing their journeys in technology, were just two examples of a commitment to making more space for voices and stories that are less often heard. DjangoCon Europe continues to thrive and sparkle in the hands of the people who care about it most, and who step forward each year as volunteers who commit hundreds of hours of their time to make the best possible success of it. Once again, this care has shone through. On behalf of the whole Django community, the Django Software Foundation would like to thank the entire organising team and all the other volunteers of this year's DjangoCon Europe, for putting on a superb and memorable production. The next DjangoCons in Europe The DSF Board is considering bids for DjangoCon Europe 2018-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible. [Less]

The Django team is happy to announce the release of Django 1.11. This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also ... [More] receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2017. As always, the release notes cover the medley of new features in detail, but a few highlights are: Class-based model indexes for creating database indexes. Template-based widget rendering to ease customizing form widgets. Subquery expressions to create explicit subqueries using the ORM. You can get Django 1.11 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. With the release of Django 1.11, Django 1.10 has reached the end of mainstream support. The final minor bugfix release (1.10.7) was issued today. Django 1.10 will receive security and data loss fixes for another eight months until December 2017. Django 1.9 has reached the end of extended support. The final security release (1.9.13) was issued today. All Django 1.9 users are encouraged to upgrade to Django 1.10 or later. See the downloads page for a table of supported versions and the future release schedule. [Less]

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The ... [More] Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post. CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon Gong for reporting this issue. Affected supported versions Django master development branch Django 1.11 (at release candidate status, final release forthcoming) Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets: On the development master branch: is_safe_url() serve() On the 1.11 release branch: is_safe_url() serve() On the 1.10 release branch: is_safe_url() serve() On the 1.9 release branch: is_safe_url() serve() On the 1.8 release branch: is_safe_url() serve() The following releases have been issued: Django 1.10.7 (download Django 1.10.7 | 1.10.7 checksums) Django 1.9.13 (download Django 1.9.13 | 1.9.13 checksums) Django 1.8.18 (download Django 1.8.18 | 1.8.18 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The ... [More] Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post. CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon from Chaitin Tech (@ChaitinTech) for reporting this issue. Affected supported versions Django master development branch Django 1.11 (at release candidate status, final release forthcoming) Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets: On the development master branch: is_safe_url() serve() On the 1.11 release branch: is_safe_url() serve() On the 1.10 release branch: is_safe_url() serve() On the 1.9 release branch: is_safe_url() serve() On the 1.8 release branch: is_safe_url() serve() The following releases have been issued: Django 1.10.7 (download Django 1.10.7 | 1.10.7 checksums) Django 1.9.13 (download Django 1.9.13 | 1.9.13 checksums) Django 1.8.18 (download Django 1.8.18 | 1.8.18 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

Tickets are on sale for DjangoCon US 2017 in Spokane, WA! We’re also looking for reviewers for our talk and tutorial proposals, and our CFP and financial aid application are closing soon. Tickets Are on Sale Tickets are now on sale! DjangoCon US has ... [More] tiered pricing, and we put together a blog post with more details. We hope to see you in Spokane August 13-18. Call for Reviewers We’re looking for volunteers to help review talk and tutorial proposals. This will require a few hours of time from now until April 24. Reviewing talks only takes a couple of minutes per talk. Reviewers don’t need to review all talks and tutorials and don’t need to review them all in one day. Most people find that reviewing talks for 30 minutes at a time, once or twice a week, gets them through the talks pretty quickly. If you’re interested, please email [email protected]. Thank you to all of the awesome volunteers who have already signed up! Call for Proposals Deadline Our Call for Proposals (CFP) deadline is quickly approaching! April 10 at midnight Anywhere on Earth is the deadline to submit a talk or tutorial proposal. We would love to see a few more tutorial proposals (tutorials are compensated!). Please get in touch with us or our wonderful speaker mentors if you need help refining or expanding on an idea. Financial Aid Deadline The DjangoCon US financial aid application also closes on April 10. We have more information and FAQs about financial aid on our website. The application is short and sweet, so please apply today! [Less]

Django 1.11 release candidate 1 is the final opportunity for you to try out the medley of new features before Django 1.11 is released. The release candidate stage marks the string freeze and the call for translators to submit translations. Provided ... [More] no major bugs are discovered that can't be solved in the next two weeks, 1.11 final will be issued on or around April 4. Any delays will be communicated on the django-developers mailing list thread. Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]