Django

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The ... [More] Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post. CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon from Chaitin Tech (@ChaitinTech) for reporting this issue. Affected supported versions Django master development branch Django 1.11 (at release candidate status, final release forthcoming) Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets: On the development master branch: is_safe_url() serve() On the 1.11 release branch: is_safe_url() serve() On the 1.10 release branch: is_safe_url() serve() On the 1.9 release branch: is_safe_url() serve() On the 1.8 release branch: is_safe_url() serve() The following releases have been issued: Django 1.10.7 (download Django 1.10.7 | 1.10.7 checksums) Django 1.9.13 (download Django 1.9.13 | 1.9.13 checksums) Django 1.8.18 (download Django 1.8.18 | 1.8.18 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The ... [More] Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post. CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Thanks Phithon Gong for reporting this issue. Affected supported versions Django master development branch Django 1.11 (at release candidate status, final release forthcoming) Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets: On the development master branch: is_safe_url() serve() On the 1.11 release branch: is_safe_url() serve() On the 1.10 release branch: is_safe_url() serve() On the 1.9 release branch: is_safe_url() serve() On the 1.8 release branch: is_safe_url() serve() The following releases have been issued: Django 1.10.7 (download Django 1.10.7 | 1.10.7 checksums) Django 1.9.13 (download Django 1.9.13 | 1.9.13 checksums) Django 1.8.18 (download Django 1.8.18 | 1.8.18 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

Tickets are on sale for DjangoCon US 2017 in Spokane, WA! We’re also looking for reviewers for our talk and tutorial proposals, and our CFP and financial aid application are closing soon. Tickets Are on Sale Tickets are now on sale! DjangoCon US has ... [More] tiered pricing, and we put together a blog post with more details. We hope to see you in Spokane August 13-18. Call for Reviewers We’re looking for volunteers to help review talk and tutorial proposals. This will require a few hours of time from now until April 24. Reviewing talks only takes a couple of minutes per talk. Reviewers don’t need to review all talks and tutorials and don’t need to review them all in one day. Most people find that reviewing talks for 30 minutes at a time, once or twice a week, gets them through the talks pretty quickly. If you’re interested, please email [email protected]. Thank you to all of the awesome volunteers who have already signed up! Call for Proposals Deadline Our Call for Proposals (CFP) deadline is quickly approaching! April 10 at midnight Anywhere on Earth is the deadline to submit a talk or tutorial proposal. We would love to see a few more tutorial proposals (tutorials are compensated!). Please get in touch with us or our wonderful speaker mentors if you need help refining or expanding on an idea. Financial Aid Deadline The DjangoCon US financial aid application also closes on April 10. We have more information and FAQs about financial aid on our website. The application is short and sweet, so please apply today! [Less]

Django 1.11 release candidate 1 is the final opportunity for you to try out the medley of new features before Django 1.11 is released. The release candidate stage marks the string freeze and the call for translators to submit translations. Provided ... [More] no major bugs are discovered that can't be solved in the next two weeks, 1.11 final will be issued on or around April 4. Any delays will be communicated on the django-developers mailing list thread. Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]

Today we've issued the 1.10.6 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

Django 1.11 beta 1 is an opportunity for you to try out the medley of new features in Django 1.11. Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 1.11 final (also, translations will be updated ... [More] following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate about a month from now with the final release to follow about two weeks after that around April 1. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list. As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]

In case you missed the news, DjangoCon US 2017 will take place in beautiful Spokane, Washington, from August 13-18, 2017! We’ll have more information on the venue and ticket sales soon, but we’re pleased to announce the following items. Call for ... [More] Proposals (CFP) Our CFP for talks and tutorials is now open! The deadline for submissions is April 10, 2017. We’re looking for speakers of all experience levels and backgrounds. Talk and tutorial presenters also receive free admission to DjangoCon US. Financial Aid Application Grants to assist with your travel and lodging expenses are available as well. Our Financial Aid application is also now open. The deadline is April 10, 2017. Seeking Speaker Mentors Preparing and giving a talk at a conference is no small task, and it can be even more intimidating to first-time presenters. We're looking for encouraging people with talk or tutorial experience to volunteer to be mentors for this year's DjangoCon US 2017 speakers. Mentors provide encouragement and advice to participating presenters on an informal basis. A good mentor should: have previous speaking experience ...or have previous experience giving tutorials be familiar with how to propose a talk or tutorial be able to help construct an effective, engaging talk encourage first-time speakers, non-native English speakers, or anyone needing a little boost be able to provide critique, advice, or refinements on a presentation This is a strictly volunteer position with a small time commitment. It's so rewarding to help someone else kick off their speaking career! If you'd like to help out as a mentor, please contact us and include a quick description of yourself, your speaking experience, and why you'd like to help. [Less]

Happy New Year to the Django Community! As we begin 2017, many of us are reflecting on how to maintain safe, inclusive spaces within our communities. One meaningful way to do that is to serve on the Django Code of Conduct committee. In 2013, with ... [More] input from the community, Django Core members and the DSF board developed a code of conduct, the purpose of which was explained by Alex Gaynor and Jacob Kaplan Moss: “Why do we need a code of conduct? To best keep with some of our core values: documentation and 'explicit is better than implicit.' We want to maintain a vibrant, diverse, and technically excellent community, and we believe that a part of that is writing down the standards of behavior we hold ourselves to.” As of May 2016, Committee members serve a six month fixed term. You will serve in a rotation of being “on-call” (via email) for a week at a time in order to respond to reports from the community. This is a great service to the Django community, particularly to those who are most at risk, and it is made more manageable when shared. If you are interested in volunteering to serve a six-month term, please review the online documentation and procedures regarding the CofC Committee, then email [email protected]. Thank you for reading, and all the best in 2017! [Less]

Django 1.11 alpha 1 is now available. It represents the first stage in the 1.11 release cycle and is an opportunity for you to try out the changes coming in Django 1.11. Django 1.11 has a medley of new features which you can read about in the ... [More] in-development 1.11 release notes. This alpha milestone marks a complete feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list. As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]

We're happy to announce the winners of the DSF Board elections for 2017. Frank Wiles, Daniele Procida, and James Bennett were re-elected for another term. Our new Board members are Kenneth Love, Ken W. Alger, and Rebecca Conley. Rebecca, as you may ... [More] be aware, served as Board Secretary during 2016 to fill a vacancy but will be returning again this year. We wish to thank Christophe Pettus and Karen Tracey who did not run again this year for their service and the wisdom they brought to us. The Board will be having our first meeting in the coming days to ratify the slate of officers at which time we'll update the website accordingly. We look forward to another great year of helping further Django and the Django Community. [Less]