Django

It is that time of year again to think about next year’s Django Software Foundation’s Board of Directors! As you know, the Board guides the direction of the marketing, governance and outreach activities of the Django community. We provide funding ... [More] , resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work closely with our corporate and individual members to raise funds to help support our great community. In order for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of volunteers who are elected to one year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. For the most part, the time commitment is a few hours per month. There has been some confusion on this in the past, but anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all. If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the application form by Friday, November 22nd, 2019 to be considered. If it is still the 22nd of November somewhere in the world, applications will remain open. If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to [email protected] and one of us will get back with you shortly. Thank you for your time and we look forward to working with you in 2020. The 2019 DSF Board of Directors Application Form. [Less]

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm. Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being ... [More] knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him. The DSF Prize page summarizes the prize nicely: The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps. We will take nominations until Friday, November 8th AoE and will announce the winner soon after. Please make your nominations using this google form. If you have any questions please reach out to the DSF Board at [email protected]. [Less]

Django 3.0 beta 1 is now available. It represents the second stage in the 3.0 release cycle and is an opportunity for you to try out the changes coming in Django 3.0. Django 3.0 has a raft of new features which you can read about in the ... [More] in-development 3.0 release notes. Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 3.0 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around December 2. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list. As with all beta and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B. [Less]

Today we've issued the 2.2.6, 2.1.13, and 1.11.25 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

Django 3.0 alpha 1 is now available. It represents the first stage in the 3.0 release cycle and is an opportunity for you to try out the changes coming in Django 3.0. Django 3.0 has a raft of new features which you can read about in the ... [More] in-development 3.0 release notes. This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list. As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00. [Less]

Today we've issued 2.2.5, 2.1.12, and 1.11.24 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

In accordance with our security release policy, the Django team is issuing Django 1.11.23, Django 2.1.11, and Django 2.2.4. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] Thanks Guido Vranken and Sage M. Abdullah for reporting these issues. CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. CVE-2019-14233: Denial-of-service possibility in strip_tags() Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter(). CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Affected supported versions Django master development branch Django 2.2 before version 2.2.4 Django 2.1 before version 2.1.11 Django 1.11 before version 1.11.23 Resolution Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: On the development master branch: master Truncator master strip_tags() master JSONField/HStoreField master uri_to_iri() On the Django 2.2 release branch: 2.2 Truncator 2.2 strip_tags() 2.2 JSONField/HStoreField 2.2 uri_to_iri() On the Django 2.1 release branch: 2.1 Truncator 2.1 strip_tags() 2.1 JSONField/HStoreField 2.1 uri_to_iri() On the Django 1.11 release branch: 1.11 Truncator 1.11 strip_tags() 1.11 JSONField/HStoreField 1.11 uri_to_iri() The following releases have been issued: Django 1.11.23 (download Django 1.11.23 | 1.11.23 checksums) Django 2.1.11 (download Django 2.1.11 | 2.1.11 checksums) Django 2.2.4 (download Django 2.2.4 | 2.2.4 checksums) The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00 General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information. [Less]

In just a few weeks, from the 6th to 10th of August, the first ever pan-African PyCon will take place in Accra, Ghana. PyCon Africa 2019 is an amazing step for the rapidly growing Python community in Africa. Django at PyCon Africa Django will be ... [More] well represented with a Django Girls workshop, several talks, and many members of the Django Software Foundation in attendance. Numerous DSF members have attended Python events in Africa in the past, and we're excited to see the conference come to fruition. May it be the first of many! The DSF is one of PyCon Africa's sponsors, passing on some of the donations it has received to help with its goals of supporting community development across the world. Sponsorship It's thanks to its sponsors that the event can go ahead. All the basic costs of the event are now covered and attendees from many African countries will be represented. However, the organisers are looking for further sponsorship for the financial assistance programme. Travel, even within Africa and to a well-connected city like Accra, is expensive and difficult for many Africans. Entry visas to Ghana can cost $100-200 per person, which when combined with other expenses puts the event out of the range of a lot of potential attendees. There's an opportunity here. Sponsoring PyCon Africa means more people from across Africa will be able to attend, strengthening the network of the African Python community and building its expertise. We’ve already seen the results of this engagement within Python, as African Pythonistas have advanced in their careers and contributed back to the software and the community (just for example, Anna Makarudze from Zimbabwe serves on the Django Software Foundation board, as Vice President of the DSF itself). Companies interested in sponsorship should get in touch with the organising team via the website. Individuals can also contribute to the financial assistance fund via the GoFundMe page. You can read more about the conference on the official website. Also Noah Alorwu and Abigail Mesrenyame Dogbe, two of the organizers, gave a great talk at DjangoCon Europe this year about developing their community - including an announcement for the first DjangoCon Africa next year! [Less]

For the 7th year running, DjangoCon Australia is coming up on August 2nd. Just like last year, the sibling conference to DjangoCons EU and US, is on in Sydney at the International Convention Centre. DjangoCon Australia is a one-day event, organized ... [More] as a specialist track as part of PyCon AU. Packed with talks about best practices, communities, contributions, and the present and future of Django, DjangoCon Australia 2019 will be bigger than ever. There are still tickets available for DjangoCon Australia and PyCon AU. You can join for one day with tickets starting at AU$150 for just the DjangoCon AU day, or AU$490 for all three days. We also have significant discounts for student attendees, and we also have Contributor ✨ tickets for those who want to help financially support the conference. The schedule for DjangoCon Australia and all of PyCon AU is already live, so take a look at what we have in store. Buy your ticket before July 9 to ensure you get one of the famous PyCon AU t-shirts in a size that fits you. Shirts for DjangoCon Australia will be revealed and details announced on the day. We hope to see you in Sydney next month! Leigh Brenecki, Markus Holtermann, DjangoCon Australia organizers [Less]

We are a little over two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many excellent proposals, and the reviewers and program team had a difficult job choosing the final talks ... [More] and tutorials. Thank you to everyone who submitted a proposal or helped to review. Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select. We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets. In other program news, this year, the third day of talks will be a single-track slate of deep-dive topics in Django. We’ll be covering async, authentication, generic views, model inheritance, using Django as a micro-framework, and WASM. DjangoCon US will be held September 22-27 at the beautiful San Diego Marriott Mission Valley. Our hotel block rate expires August 21, but rooms are selling quickly, so reserve your room today. If you’re interested in sharing a room, we have information on that as well. We hope to see you in San Diego! [Less]