I Use This!
Very High Activity

News

Analyzed about 15 hours ago. based on code collected 1 day ago.
Posted over 14 years ago
Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as ... [More] such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases. Description of vulnerability Django's forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack. Affected versions Any Django application making use of EmailField or URLField in the following versions is vulnerable: Django development trunk Django 1.1 Django 1.0 Resolution The regular expressions used for email address and URL validation have been modified to eliminate the pathological performance case. Patches were applied in the following changesets: Django development trunk: 11603. Django 1.1 release series: 11604. Django 1.0 release series: 11605. The following releases are being issued immediately: Django 1.1.1 (download | checksums) Django 1.0.4 (download | checksums) These releases are available on our download page and on PyPI. As this issue is being actively exploited in the wild, all users of affected versions of Django are strongly encouraged to upgrade or apply the appropriate patch immediately. Note regarding security reporting As mentioned above, this issue was initially disclosed publicly on a high-traffic mailing list. We'd like to remind our users that the correct channel for security reports is to send them to [email protected]. This allows the development team time to develop a solution and coordinate disclosure, both to the Django community as a whole and to the numerous third parties who maintain and distribute packaged versions of Django. When debating whether a particular issue impacts security, we ask that you err on the side of caution and always contact [email protected]; we will be more than happy to work with you in analyzing and assessing potential security issues. [Less]
Posted over 14 years ago
The recent security-oriented releases of Django included what was intended to be the final supported release in the Django 0.96 series. However, an issue was discovered with the patch applied to the 0.96 release branch; a portion of the updated code ... [More] was not correctly applied, and as a result the runserver command no longer functioned at all. To remedy this, tonight we have issued Django 0.96.5, which includes the full corrected code. The relevant changesets in the 0.96 release branch are: 11430 11435 The following download is also available: Django 0.96.5: package | checksums All users of Django 0.96 are encouraged to upgrade, but are warned that this is the final release which will be issued in the Django 0.96 series, and official support for Django 0.96 is now ended. [Less]
Posted over 14 years ago
After nearly a year of development, lots of new features and thousands of other improvements, Django 1.1 is here and ready for prime time! For a full rundown of what's new and what's changed, consult the release notes; to grab a copy, swing by the ... [More] Django download page. And for the security-conscious, signed checksums for the release tarball are available. This release also contains the security update rolled out earlier tonight for older release series. Django 1.1 is the result of hard work by hundreds of people who've contributed code to Django and many more who've donated their time to reporting, triaging, tracking down and helping to fix bugs and develop new features. Django literally would not be able to happen without all of you, so stop and give yourselves (and any other contributors you know) a pat on the back. Thanks once again to everyone who's helped out, and we hope to see you all at DjangoCon 2009 in Portland, Oregon, and all along the path to Django 1.2. [Less]
Posted over 14 years ago
In accordance with our security policy, today the Django project is issuing a set of releases to remedy a vulnerability reported to us. This announcement contains a description of the vulnerability, a description of the changes made to fix it, and ... [More] pointers to the patches for each supported version of Django. Also covered here is an unrelated issue which, though security-related and resulting in changes to future Django releases, is not being treated as a vulnerability in Django itself. Description of vulnerability Django includes a lightweight, WSGI-based web server for use in learning Django and in testing new applications during early stages of development. For sake of convenience, this web server automatically maps certain URLs corresponding to the static media files used by the Django administrative application. The handler which maps these URLs did not properly check the requested URL to verify that it corresponds to a static media file used by Django. As such, a carefully-crafted URL can cause the development server to serve any file to which it has read access. By default, the development server does not listen on interfaces other than the local IPv4 loopback, and Django's documentation has and will continue to have stern warnings against the use of the development server in other situations (e.g., listening on a publicy- or network-accessible interface), and stating that the development server is not considered secure or performant enough for such use. Affected versions Django development trunk Django 1.0 Django 0.96 Resolution The development server's admin media handler has been patched to verify that the requested URL corresponds to a static media file which should be served, and to properly emit an HTTP 404 ("File Not Found") response when the URL does not correspond to such a file. Patches were applied in the following changesets: Django development trunk: changeset 11351 Django 1.0.X release series: changeset 11353. Django 0.96.X release series: changeset 11354. The following releases are being issued immediately: Django 0.96.4 (download | checksums) Django 1.0.3 (download | checksums) These releases are strongly encouraged upgrades for all users of affected versions of Django. The final release of Django 1.1, due within hours of these releases, will include the above patch from the development trunk. Secondary issue A common deployment strategy for Django in some types of hosting environments involves placing the server which handles Django behind some other web server, which then acts as an HTTP proxy. In such situations, the REMOTE_ADDR environment variable is typically the IP address of the proxy. For convenience, Django includes an optional middleware class -- django.middleware.http.SetRemoteAddrFromForwardedFor -- which updates the value of REMOTE_ADDR based on the HTTP X-Forwarded-For header commonly set by some proxy configurations. It has been demonstrated that this mechanism cannot be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of REMOTE_ADDR is "safe" or in some way reliable as a source of authentication. While not directly a security issue (since relying on REMOTE_ADDR or similar values is widely known to be a worst practice), the Django team has decided to deprecate and begin the process of removing this middleware with the Django 1.1 release. This middleware class will be left as-is in the 1.0 and 0.96 release series, but in the 1.1 release series it will be replaced with a class which takes no action other than raising a deprecation error. It is expected that this placeholder warning class will be removed in the Django 1.2 release series. Miscellaneous Please note that the release of Django 1.1 will trigger end-of-life for the Django 0.96 release series; as such, Django 0.96.4 will be the last official release in that series and it will no longer receive bugfix or security support directly from the Django development team. [Less]
Posted over 14 years ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 release candidate 1, a preview/testing package which, hopefully, is quite close to what will constitute the final Django 1.1 release. As with all pre-release packages, this ... [More] is not for production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in approximately one week), feel free to grab a copy and give it a spin. You can get a copy of the 1.1 RC from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 release candidate package are available. If no show-stopping bugs are found, the Django 1.1 final release will take place in one week. In the meantime, only critical release-blocking bugs will be considered for the final release. Django 1.1 is also now in string freeze; strings marked for translation will not change between now and the final release, so if you have translations to contribute now's the time. With luck, we'll see you back here in a week for the release of Django 1.1. [Less]
Posted over 14 years ago
Has it really been a year since DjangoCon 2008? Apparently so: registration for DjangoCon 2009 is now open! I'll let the conference chair, Robert Lofthouse, take over from here: DjangoCon '09 will be in Portland, Oregon at the DoubleTree Green ... [More] Hotel between 8th and 12th September. The first 3 days are conference days and the last 2 days are sprint days. The keynote speakers will be: Avi Bryant Ian Bicking Ted Leung Registration is now open, and early bird rates are available through this Sunday, July 19th. The call for talk submissions is open through the 1st of August. You can keep up to date with the latest news at djangocon.org. DjangoCon '08 was a success at Google HQ in Mountain View (see videos from DjangoCon '08) and I'm sure we're going to have a lot of fun this time around as well. Hope to see you there! — Robert Lofthouse, DjangoCon Chairman [Less]
Posted almost 15 years ago
It's well past time for a quick update on the status of Django 1.1: Anyone who's been following our development process and can read a calendar will probably have noticed that we've missed our originally-targeted ship date of April 13th. So we're ... [More] now about a month behind. The reason for the schedule slip is pretty typical for most software projects: we reached the target date with a number of bugs still open. Putting out buggy code on time simply isn't an option, so we've been working to get these final issues closed before we ship any code. As I write this we have about fifty bugs still open (see the complete list here). I'm pretty hopeful about getting these fixed in short order: today is the first day of the EuroDjangoCon sprints, and we've got quite a turnout. A number of tricky bugs have been fixed already today. Unfortunately, many of these remaining issues are quite tricky. Ironically, this is caused by Django's general stability: we've already fixed all the easy bugs! We're not setting a timeline for the 1.1 release because the remaining issues are "blockers": they have to be fixed before we can put a release out. So while we're hoping to have the first release candidate out in a matter of days, this isn't a promise. We'll ship Django 1.1 when it's stable, and not a moment before. Thanks for your understanding, and watch this space for updates. [Less]
Posted about 15 years ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 beta 1, a preview package that shows off the new features coming in Django 1.1. As with all alpha and beta packages, this is not for production use, but if you'd like to try ... [More] out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in April), feel free to grab a copy and give it a spin. You can get a copy of the 1.1 beta package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 beta package are available. Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing the final Django 1.1 release. For a full 1.1 roadmap, see the 1.1 alpha release notes. [Less]
Posted about 15 years ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 alpha 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.1. As with all alpha and beta packages, this is not for ... [More] production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in April), feel free to grab a copy and give it a spin. You can get a copy of the 1.1 alpha package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 alpha package are available. Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing a feature-frozen 1.1 beta package (for a full 1.1 roadmap, see the 1.1 alpha release notes). [Less]
Posted about 15 years ago
It's almost spring, and you know what that means: PyCon is here! Early-bird registration ends soon, so take advantage of the low prices and register now! PyCon's consistently among the best technical conferences in the world. The conference is ... [More] chock-full of interesting talks about everything Python, and the unofficial parts of the conference (the "hallway track," open spaces, sprints, etc.) are even better. As with previous years, Django will be very well represented at PyCon. James Bennett and I will be teaching a tutorial, Django in the Real World, covering all the stuff you need to do after you've written your app. The tutorial's filling up, so if you're interested I recommend registering soon. New to PyCon 2009 are invited speakers: a select group of fantastic Python speakers invited to drop some knowledge. Adrian is one of the invited speakers, and he'll be giving us all a look behind the scenes of EveryBlock.com. I'm really looking forward to this! Then there's a whopping nine talks covering Django, including talks on Pinax, Google App Engine, Django on Jython, a panel discussing ORM design, and a talk with what has to be the most awesome title ever: Searching for Neutrinos Using Python at the Bottom of the World.` Adrian and I will also deliver a "State of Django" talk discussing where the project is, and where it's going. Finally, after the talks end, the annual development sprint begins: four solid days of hacking! Anyone interested in working on Django is encouraged to attend, and note that the sprints at PyCon are open to anyone, not just PyCon attendees. So, if you're in Chicago feel free to stop on by! Early-bird registration ends in just a couple of days, so make sure to register soon to take advantage of the discounts! Hope to see lots of Djangonauts there! [Less]