Posted
over 14 years
ago
Today the Django project is issuing a set of releases to remedy a
security issue. This issue was disclosed publicly by a third party on
a high-traffic mailing list, and attempts have been made to exploit it
against live Django installations; as
... [More]
such, we are bypassing our
normal policy for security disclosure
and immediately issuing patches and updated releases.
Description of vulnerability
Django's forms library included
field types which perform regular-expression-based validation of email
addresses and URLs. Certain addresses/URLs could trigger a pathological
performance case in this regular expression, resulting in the server
process/thread becoming unresponsive, and consuming excessive CPU over
an extended period of time. If deliberately triggered, this could result in
an effective denial-of-service attack.
Affected versions
Any Django application making use of EmailField or URLField
in the following versions is vulnerable:
Django development trunk
Django 1.1
Django 1.0
Resolution
The regular expressions used for email address and URL validation have
been modified to eliminate the pathological performance case.
Patches were applied in the following changesets:
Django development trunk: 11603.
Django 1.1 release series: 11604.
Django 1.0 release series: 11605.
The following releases are being issued immediately:
Django 1.1.1 (download | checksums)
Django 1.0.4 (download | checksums)
These releases are available on our download page and on PyPI.
As this issue is being actively exploited in the wild, all users of
affected versions of Django are strongly encouraged to upgrade or
apply the appropriate patch immediately.
Note regarding security reporting
As mentioned above, this issue was initially disclosed publicly on a
high-traffic mailing list. We'd like to remind our users that the correct
channel for security reports is to send them to [email protected].
This allows the development team time to develop a solution and coordinate
disclosure, both to the Django community as a whole and to the numerous third
parties who maintain and distribute packaged versions of Django.
When debating whether a particular issue impacts security, we ask that you err
on the side of caution and always contact [email protected]; we
will be more than happy to work with you in analyzing and assessing potential
security issues. [Less]
|
Posted
over 14 years
ago
The recent security-oriented releases of Django included what was intended to be the final supported release in the Django 0.96 series. However, an issue was discovered with the patch applied to the 0.96 release branch; a portion of the updated code
... [More]
was not correctly applied, and as a result the runserver command no longer functioned at all.
To remedy this, tonight we have issued Django 0.96.5, which includes the full corrected code. The relevant changesets in the 0.96 release branch are:
11430
11435
The following download is also available:
Django 0.96.5: package | checksums
All users of Django 0.96 are encouraged to upgrade, but are warned that this is the final release which will be issued in the Django 0.96 series, and official support for Django 0.96 is now ended. [Less]
|
Posted
over 14 years
ago
After nearly a year of development, lots of new features and thousands of other improvements, Django 1.1 is here and ready for prime time!
For a full rundown of what's new and what's changed, consult the release notes; to grab a copy, swing by the
... [More]
Django download page. And for the security-conscious, signed checksums for the release tarball are available.
This release also contains the security update rolled out earlier tonight for older release series.
Django 1.1 is the result of hard work by hundreds of people who've contributed code to Django and many more who've donated their time to reporting, triaging, tracking down and helping to fix bugs and develop new features. Django literally would not be able to happen without all of you, so stop and give yourselves (and any other contributors you know) a pat on the back.
Thanks once again to everyone who's helped out, and we hope to see you all at DjangoCon 2009 in Portland, Oregon, and all along the path to Django 1.2. [Less]
|
Posted
over 14 years
ago
In accordance with our security policy,
today the Django project is issuing a set of releases to remedy a
vulnerability reported to us. This announcement contains a description
of the vulnerability, a description of the changes made to fix it, and
... [More]
pointers to the patches for each supported version of Django.
Also covered here is an unrelated issue which, though security-related
and resulting in changes to future Django releases, is not being
treated as a vulnerability in Django itself.
Description of vulnerability
Django includes a lightweight, WSGI-based web server for use in
learning Django and in testing new applications during early stages of
development. For sake of convenience, this web server automatically
maps certain URLs corresponding to the static media files used by the
Django administrative application.
The handler which maps these URLs did not properly check the requested
URL to verify that it corresponds to a static media file used by
Django. As such, a carefully-crafted URL can cause the development
server to serve any file to which it has read access.
By default, the development server does not listen on interfaces other
than the local IPv4 loopback, and Django's documentation has and will
continue to have stern warnings against the use of the development
server in other situations (e.g., listening on a publicy- or
network-accessible interface), and stating that the development server
is not considered secure or performant enough for such use.
Affected versions
Django development trunk
Django 1.0
Django 0.96
Resolution
The development server's admin media handler has been patched to
verify that the requested URL corresponds to a static media file which
should be served, and to properly emit an HTTP 404 ("File Not Found")
response when the URL does not correspond to such a file.
Patches were applied in the following changesets:
Django development trunk: changeset 11351
Django 1.0.X release series: changeset 11353.
Django 0.96.X release series: changeset 11354.
The following releases are being issued immediately:
Django 0.96.4 (download | checksums)
Django 1.0.3 (download | checksums)
These releases are strongly encouraged upgrades for all users of affected versions of Django.
The final release of Django 1.1, due within hours of these releases,
will include the above patch from the development trunk.
Secondary issue
A common deployment strategy for Django in some types of hosting
environments involves placing the server which handles Django behind
some other web server, which then acts as an HTTP proxy. In such
situations, the REMOTE_ADDR environment variable is typically the
IP address of the proxy. For convenience, Django includes an optional
middleware class --
django.middleware.http.SetRemoteAddrFromForwardedFor -- which
updates the value of REMOTE_ADDR based on the HTTP
X-Forwarded-For header commonly set by some proxy configurations.
It has been demonstrated that this mechanism cannot be made reliable
enough for general-purpose use, and that (despite documentation to the
contrary) its inclusion in Django may lead application developers to
assume that the value of REMOTE_ADDR is "safe" or in some way
reliable as a source of authentication.
While not directly a security issue (since relying on REMOTE_ADDR
or similar values is widely known to be a worst practice), the Django
team has decided to deprecate and begin the process of removing this
middleware with the Django 1.1 release.
This middleware class will be left as-is in the 1.0 and 0.96 release
series, but in the 1.1 release series it will be replaced with a class
which takes no action other than raising a deprecation error. It is
expected that this placeholder warning class will be removed in the
Django 1.2 release series.
Miscellaneous
Please note that the release of Django 1.1 will trigger end-of-life
for the Django 0.96 release series; as such, Django 0.96.4 will be the
last official release in that series and it will no longer receive
bugfix or security support directly from the Django development
team.
[Less]
|
Posted
over 14 years
ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 release candidate 1, a preview/testing package which, hopefully, is quite close to what will constitute the final Django 1.1 release. As with all pre-release packages, this
... [More]
is not for production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in approximately one week), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 RC from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 release candidate package are available.
If no show-stopping bugs are found, the Django 1.1 final release will take place in one week. In the meantime, only critical release-blocking bugs will be considered for the final release. Django 1.1 is also now in string freeze; strings marked for translation will not change between now and the final release, so if you have translations to contribute now's the time.
With luck, we'll see you back here in a week for the release of Django 1.1. [Less]
|
Posted
over 14 years
ago
Has it really been a year since DjangoCon 2008? Apparently so:
registration for DjangoCon 2009 is now open! I'll let the conference
chair, Robert Lofthouse, take over from here:
DjangoCon '09 will be in Portland, Oregon at the DoubleTree Green
... [More]
Hotel between 8th and 12th September. The first 3
days are conference days and the last 2 days are sprint days.
The keynote speakers will be:
Avi Bryant
Ian Bicking
Ted Leung
Registration is now
open, and early bird rates are available through this Sunday, July
19th. The call for talk submissions is open through the 1st of August. You
can keep up to date with the latest news at djangocon.org.
DjangoCon '08 was a success at Google HQ in Mountain View (see videos from DjangoCon '08) and I'm sure we're going to have a lot of fun this time around as well.
Hope to see you there!
— Robert Lofthouse, DjangoCon Chairman [Less]
|
Posted
almost 15 years
ago
It's well past time for a quick update on the status of Django 1.1:
Anyone who's been following our development process and can read a calendar will probably have noticed that we've missed our originally-targeted ship date of April 13th. So we're
... [More]
now about a month behind.
The reason for the schedule slip is pretty typical for most software projects: we reached the target date with a number of bugs still open. Putting out buggy code on time simply isn't an option, so we've been working to get these final issues closed before we ship any code.
As I write this we have about fifty bugs still open (see the complete list here). I'm pretty hopeful about getting these fixed in short order: today is the first day of the EuroDjangoCon sprints, and we've got quite a turnout. A number of tricky bugs have been fixed already today.
Unfortunately, many of these remaining issues are quite tricky. Ironically, this is caused by Django's general stability: we've already fixed all the easy bugs!
We're not setting a timeline for the 1.1 release because the remaining
issues are "blockers": they have to be fixed before we can
put a release out. So while we're hoping to have the first release candidate out in a matter of days, this isn't a promise. We'll ship Django 1.1 when it's stable, and not a moment before.
Thanks for your understanding, and watch this space for updates. [Less]
|
Posted
about 15 years
ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 beta 1, a preview package that shows off the new features coming in Django 1.1. As with all alpha and beta packages, this is not for production use, but if you'd like to try
... [More]
out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in April), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 beta package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 beta package are available.
Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing the final Django 1.1 release. For a full 1.1 roadmap, see the 1.1 alpha release notes. [Less]
|
Posted
about 15 years
ago
As part of the Django 1.1 release process, tonight we've released Django 1.1 alpha 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.1. As with all alpha and beta packages, this is not for
... [More]
production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in April), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 alpha package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 alpha package are available.
Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing a feature-frozen 1.1 beta package (for a full 1.1 roadmap, see the 1.1 alpha release notes). [Less]
|
Posted
about 15 years
ago
It's almost spring, and you know what that means: PyCon is here! Early-bird registration ends soon, so take advantage of the low prices and register now!
PyCon's consistently among the best technical conferences in the world. The conference is
... [More]
chock-full of interesting talks about everything Python, and the unofficial parts of the conference (the "hallway track," open spaces, sprints, etc.) are even better.
As with previous years, Django will be very well represented at PyCon.
James Bennett and I will be teaching a tutorial, Django in the Real World, covering all the stuff you need to do after you've written your app. The tutorial's filling up, so if you're interested I recommend registering soon.
New to PyCon 2009 are invited speakers: a select group of fantastic Python speakers invited to drop some knowledge. Adrian is one of the invited speakers, and he'll be giving us all a look behind the scenes of EveryBlock.com. I'm really looking forward to this!
Then there's a whopping nine talks covering Django, including talks on Pinax, Google App Engine, Django on Jython, a panel discussing ORM design, and a talk with what has to be the most awesome title ever: Searching for Neutrinos Using Python at the Bottom of the World.`
Adrian and I will also deliver a "State of Django" talk discussing where the project is, and where it's going.
Finally, after the talks end, the annual development sprint begins: four solid days of hacking! Anyone interested in working on Django is encouraged to attend, and note that the sprints at PyCon are open to anyone, not just PyCon attendees. So, if you're in Chicago feel free to stop on by!
Early-bird registration ends in just a couple of days, so make sure to register soon to take advantage of the discounts!
Hope to see lots of Djangonauts there!
[Less]
|