Django

Today the Django team is issuing a new release -- Django 1.2.2 -- to remedy a security issue reported to us. This issue was disclosed independently by two different parties, and all users of Django 1.2 are urged to upgrade immediately. ... [More] Description of issue As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose. The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission. The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks. This issue was first reported via a public ticket in Django's Trac instance; while being triaged it was then independently reported, with broader description, by Jeff Balogh of Mozilla. Affected versions Django development trunk Django 1.2 Because the current CSRF-protection system is new as of Django 1.2, older releases are unaffected. Resolution Patches have been applied to Django trunk and to the 1.2 release branch to ensure the cookie value is never trusted and is always escaped. Future Django releases may migrate away from the use of a dedicated cookie to avoid the possibility of such issues. Patches may be obtained directly from the appropriate changesets: Django trunk: Changeset 13698 Django 1.2: Changeset 13699 The following release has been issued: Django 1.2.2 (download | checksums) General notes regarding security As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Due to the time-sensitive nature of this issue, our normal process of advance notification of distributors of Django was not followed; notification to distributors was sent just prior to issuance of this release. If you are or represent a third-party distributor of Django and did not receive a notification email from the Django release manager, please contact [email protected]. [Less]

As previously announced, today marks the release of Django 1.2.1, the first bugfix release in the Django 1.2 series. For the package itself, swing by our downloads page; and as always, signed checksums of the release package are available. As a ... [More] bugfix release, Django 1.2.1 contains no new features -- only the fixes for a few bugs noted in the previous announcements, along with two more tickets which had quick fixes available: #13592 and #13590. [Less]

As mentioned previously, we decided to hold off the release of Django 1.2.1 a bit to investigate a bug reported shortly after 1.2; I'm happy to announce that the relevant ticket has now been closed out, along with a couple of other tickets reported ... [More] against 1.2. To be on the safe side, though, we're going to give Django 1.2 the rest of the weekend to shake out a bit, and release Django 1.2.1 on Monday, May 24. Assuming no other critical issues come up over the weekend, Django 1.2.1 will differ from 1.2 in having an updated documentation builder, and the fixes for the following issues: #13577 -- updated Polish localization #13569 -- applying the correct username restrictions during superuser creation #13560 -- fix localization with SplitDateTimeField and other multi-value fields/widgets #13573 -- ensuring the cached template loader uses the correct full template path #13566 and #13563 -- fixing a few typos in the documentation. [Less]

It's official: DjangoCon US 2010 is a go! We're back in Portland, Oregon September 7th-9th. Last year was a blast, and the planning team is working their butts off to make sure that this year is even better. Come on out to see some great talks and ... [More] meet a bunch of awesome people. Registration and talk submissions are open at djangocon.us, where you'll also find venue information, schedules, and all other conference details. You'll want to register soon: early bird rates end June 8th and we may sell out before then. We'll be holding development sprints the three days following the conference (September 10th - 12th). The sprints, as always, are free, and everyone's invited (including those who didn't come to the conference). This year there's a new crew bringing you the conference: DjangoCon US 2010 is being produced by Steve Holden's Mighty Python Empire, technically supported by Eldarion, and run by the community. I hope to see you there! [Less]

Following yesterday's release of Django 1.2, we noted that an issue was discovered with the script which builds the Django documentation, and that Django 1.2.1 would be released today to remedy that. Today as we were preparing for that release ... [More] , another issue was brought up, revealing a bug in form localization that we'd like to deal with immediately if possible; as such, we're going to delay 1.2.1 one more day -- releasing it May 19, 2010, US Central time -- while we work on it. This does mean another day with the incorrect docs builder, but if at all possible we'd like to quash the forms bug quickly rather than wait to deal with it in a regular bugfix release. [Less]

It's here! After many months of work, we're proud to announce the release today of Django 1.2. There's so much cool stuff packed into it that even a summary can't do it justice; you'll just have to go read the release notes to see it all, then ... [More] swing by the downloads page to grab a copy. And as always, signed checksums for the release package are available. One important point is worth mentioning here, however: Django 1.2 is, as covered in the release notes, the first official release of Django which does not support Python 2.3. Django still runs on 2.x Python, but the minimum version requirement is now 2.4. Django 1.1, which is still supported with security updates, continues to provide Python 2.3 support if you need it, and will do so until its support lifetime ends with the release of Django 1.3. Finally, we'd like to point out, as always, that we couldn't do this without the help of the huge numbers of people all around the world who contribute to and improve Django every single day. All of you should give yourselves a big pat on the back, and if you happen to be in Berlin next week, go celebrate with your fellow Djangonauts at DjangoCon EU. Update: It's been pointed out that the config file which builds the Django documentation didn't get its version number incremented in the Django 1.2 package. To rectify this we're going to wait 24 hours to make sure no other oversights are discovered in 1.2, then issue Django 1.2.1 tomorrow afternoon -- May 18, US Central time -- with an updated documentation builder. [Less]

Although most attention recently has been on the Django 1.2 development and release process, the Django team is pleased to announce the release of Django 1.1.2. This is the second bugfix release in the Django 1.1 series; it consists -- with one ... [More] important exception, detailed in the release notes -- entirely of bugs which were either fixed specifically in the Django 1.1 tree, or fixed in trunk as part of the 1.2 process and then backported. Note that the resolutions for two bugs fixed in this release may cause compatibility issues in rare cases; consult the release notes for more information. As this is a purely bugfix release, its release notes are rather sparses; if you're interested in a full list of the fixes applied, please consult the log of the 1.1 branch for details. Signed checksums for Django 1.1.2 are also available. Also, please note that the release of Django 1.2, expected later today, will mark the end of general bugfix support for the Django 1.1 series; the only updates to 1.1 from this point on will be for security issues, if needed, and all support for the Django 1.1 series will end with the release of Django 1.3. [Less]

It's been ten days now since the Django 1.2 release candidate, and no new blocking bugs have been reported, so we're giving Django 1.2 the green light. The final 1.2 release will take place on Monday, May 17, 2010. Between now and Monday, the only ... [More] things we'll be accepting (barring any release-blocking bugs -- but we're not aware of any) are updated translation files; if you've got translations you haven't yet submitted, please get them into Trac as quickly as possible so we can deal with them before the final release. [Less]

As part of the Django 1.2 release process, tonight we've released Django 1.2 release candidate 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.2. As with all pre-release packages, this is not for ... [More] production use, but if you'd like to try out some of the new goodies coming in 1.2, or if you'd like to pitch in and help us fix bugs before the final 1.2 release (due in one week), feel free to grab a copy and give it a spin. You can get a copy of the 1.2 release candidate package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.2 release candidate package are available. [Less]

We're in the final stretch As a result of some good bug killing activity over the week, there are just 2 bugs blocking a release candidate. Both of these bugs (#13166 and #13315) are reasonably well understood; they're just waiting on the time needed ... [More] to polish and commit the patches. So -- that means we're on target for a release candidate around May 3, with a final release around May 10. The exact date might be off by a day or two, depending on the ability of our esteemed Release Manager James Bennett to find the time to turn the crank and make the official tarballs. Once we have a release candidate, work will shift to closing the 48 outstanding documentation and translation issues. Luckily, progress on these tickets is much easier than fixing code problems, and there's lots of opportunity to contribute. To that end, we'll be having a virtual sprint on May 8th to try and get as much documentation work sorted out as possible. If you want to help out, join us on #django-sprint on IRC on the 8th; or if you can spare time before then, pick a documentation ticket and work up a patch (or edit a patch on an existing documentation ticket). As always, any and all help is most welcome. [Less]