Posted
almost 5 years
ago
by
Mariusz Felisiak
In accordance with our security release policy, the Django team is issuing Django 1.11.22, Django 2.1.10, and Django 2.2.3. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
... [More]
Thanks Gavin Wahl for reporting this issue.
CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.
HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests.
If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
that connects to Django via HTTPS, be sure to verify that your application
correctly handles code paths relying on scheme, is_secure(),
build_absolute_uri(), and SECURE_SSL_REDIRECT.
Affected supported versions
Django master development branch
Django 2.2 before version 2.2.3
Django 2.1 before version 2.1.10
Django 1.11 before version 1.11.22
Resolution
Patches to resolve the issue have been applied to Django's master branch and
the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets:
On the master branch
On the 2.2 release branch
On the 2.1 release branch
On the 1.11 release branch
The following releases have been issued:
Django 1.11.22 (download Django 1.11.22 | 1.11.22 checksums)
Django 2.1.10 (download Django 2.1.10 | 2.1.10 checksums)
Django 2.2.3 (download Django 2.2.3 | 2.2.3 checksums)
The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.
General notes regarding security reporting
As always, we ask that potential security issues be reported via
private email to [email protected], and not via Django's
Trac instance, Django's GitHub repositories, or the django-developers list.
Please see our security policies
for further information.
[Less]
|
Posted
almost 5 years
ago
by
Carlton Gibson
In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
... [More]
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link. You may customise the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using ModelAdmin.formfield_overrides.
Affected versions
Django master development branch
Django 2.2 before version 2.2.2
Django 2.1 before version 2.1.9
Django 1.11 before version 1.11.21
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution. If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native
Object.prototype.
The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library's use of jQuery.extend().
Affected versions
Django master development branch
Django 2.2 before version 2.2.2
Django 2.1 before version 2.1.9
Resolution
Patches to resolve these issues have been applied to Django's master branch and
the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the
following changesets:
On the master branch:
Admin XSS
jQuery prototype pollution
On the 2.2 release branch:
Admin XSS
jQuery prototype pollution
On the 2.1 release branch:
Admin XSS
jQuery prototype pollution
On the 1.11 release branch:
Admin XSS
The following releases have been issued:
Django 1.11.21 (download Django 1.11.21 | 1.11.21 checksums)
Django 2.1.9 (download Django 2.1.9 | 2.1.9 checksums)
Django 2.2.2 (download Django 2.2.2 | 2.2.2 checksums)
The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.
General notes regarding security reporting
As always, we ask that potential security issues be reported via
private email to [email protected], and not via Django's
Trac instance or the django-developers list. Please see our security
policies for further
information.
[Less]
|
Posted
almost 5 years
ago
by
The Django Security and Operations teams
Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation's Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release
... [More]
branches. In this blog post, the teams want to outline the course of events.
Impact
The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker.
Timeline
On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django's Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code.
At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC.
At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach.
At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case.
At 15:44 UTC, Jenkins started running tests against GitHub pull requests again.
At 16:00 UTC, the Operations team discussed the necessity of revoking various Let's Encrypt certificates or keys. However, since there was no indication that either the account or the certificate's private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let's Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server.
At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs.
General notes regarding security reporting
As always, we ask that potential security issues be reported via
private email to [email protected] or HackerOne, and not via Django's
Trac instance or the django-developers list. Please see our security
policies for further
information.
[Less]
|
Posted
almost 5 years
ago
by
Mariusz Felisiak
Today we've issued the 2.2.1 bugfix release.
The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.
|
Posted
almost 5 years
ago
by
Jacob Kaplan-Moss
Do you want to get paid to contribute to Django, while learning more about the
framework and language? Great: I’m looking for an intern to implement a new
feature here on djangoproject.com. You’ll do the work, you’ll get paid, and I’ll
be there to
... [More]
support you.
The feature in question is the DSF membership app -- a tool to gather
nominations, comment and vote on applicants, and track membership. You can read
more about the app in the call for proposals. With my guidance, you’ll
implement the feature yourself, learning about Django and the djangoproject.com
site as you go. When you’re done, you’ll have helped streamline the DSF’s
operations and leveled up technically.
To apply: fill out this form. Applications close May 10th at 4pm ET.
For more details, read on.
In this role, you will:
Learn how the djangoproject.com app works and familiarize yourself with the
code.
Implement this new feature yourself, using Python/Django. I’ll provide
guidance, review your pull requests, and implement small pieces myself if you
get stuck and want help.
Work with me and the DSF Board to test, gather feedback, and iterate on the feature.
Meet with me weekly (or more frequently, if you like) to discuss the project,
talk through feedback, ask questions, etc.
This is a role intended for someone fairly new to Django development. It’s
suitable for most beginners with a bit of Django experience.
Required qualifications:
You should already know Python at an “advanced beginner” level -- e.g. have
worked through a tutorial or book on the language, and successfully written
some code before.
You should have written at least one Django site before (a small one is fine),
or participated as part of a larger team developing one. If you have
equivalent experience in a similar Python web framework (e.g. Flask), that’s
OK too.
Priority will be given to applicants who have not contributed code to Django or
a major third-party app before, and want to get involved in a more meaningful
way.
This position is remote and is open to anyone anywhere in the world. (Though, you must be able to legally accept money from the United States to be paid.)
Timeline: We’ve budgeted for 4 weeks of work, at roughly 20-30 hours per
week, with an extra 2 weeks if needed to incorporate feedback from the DSF. A
longer timeline is fine if you need to fit a different schedule.
Payment: $5,000, with an additional $1,500 if the extra work is needed. This
may be flexible: if you need more money to make this viable for you, please note
that fact in the application. All the money will go to you; I’m volunteering my
time.
To apply: fill out this form. Applications close May 10th at 4pm ET.
Qualified applicants should expect to complete a short coding exercise in Python
(less than an hour), and to have an hour-long interview with me (questions will
be provided ahead of time).
All applicants should expect to hear back by May 31st.
[Less]
|
Posted
about 5 years
ago
by
Carlton Gibson
The Django team is happy to announce the release of Django 2.2.
This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also
... [More]
receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.
As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
HttpRequest.headers to allow simple access to a request’s headers.
Database-level constraints on models.
Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.
You can get Django 2.2 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.
With the release of Django 2.2, Django 2.1 has reached the end of mainstream support. The final minor bug fix release, 2.1.8, was issued today. Django 2.1 will receive security and data loss fixes until December 2019. All users are encouraged to upgrade before then to continue receiving fixes for security issues.
See the downloads page for a table of supported versions and the future release schedule.
[Less]
|
Posted
about 5 years
ago
by
Carlton Gibson
Today we've issued the 2.1.8 bugfix release.
The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.
|
Posted
about 5 years
ago
by
Rebecca Kindschi and Jeff Triplett
We are pleased to announce that the DjangoCon US 2019 conference will
return to San Diego, California, from September 22-27, 2019!
September 22: Tutorials (Paid)
September 23-25: Talks
September 26-27: Sprints
We have a lot of amazing things
... [More]
planned that we’ll be announcing over
the next few months. Until then, here’s what you can do to help!
Mark your calendars and help us spread the word!
Buy your tickets today. We sold out last year, so be sure to take
advantage of our early bird prices!
Book your hotel room and sign up for a room share/ride share if
you’re interested.
Start thinking about topics to submit when our Call for Proposals
opens on April 1.
Follow us on @DjangoCon and @defnado on Twitter.
Sponsor the event!
Want to help by becoming an organizer?
Start working on those proposals, and we hope we’ll see you at DjangoCon
US 2019!
[Less]
|
Posted
about 5 years
ago
by
Frank Wiles
The Board of the Django Software Foundation is pleased to announce that the 2018 Malcolm Tredinnick Memorial Prize has been awarded to Kojo Idrissa.
Kojo has been active in the Django community since at least 2015, if not earlier. He's been a
... [More]
DjangoCon US organizer since 2016, former DEFNA board member, and current DEFNA North American Ambassador.
Kojo has hosted an orientation for first-time DjangoCon US attendees for the last several years, which could not be a better example of Malcolm's friendly spirit to new users.
Ken Whitesell, who nominated Kojo, also noted many Kojo's other contributions:
Kojo is a very active member of the weekly CodeNewbie chats. Hosts the DjangoCon new-user
orientation session. Very visible presence at DjangoCon, always seems to be focused on ensuring
first time attendees have the best possible experience.
The other nominees this year were:
Anna Makarudze
Daniel Joey Darko
Humphrey Butau
Jani Tiainen
Jeff Triplett
Kenneth Love
Simon Charette
Every year we receive many nominations and it's always hard to pick the winner. In fact, some have been nominated in multiple years. Malcolm would be very proud of the legacy he has fostered in our community!
Congratulations Kojo on the well deserved honor!
[Less]
|
Posted
about 5 years
ago
by
Carlton Gibson
Django 2.2 release candidate 1 is the final opportunity for you to try out the salmagundi of new
features before Django 2.2 is released.
The release candidate stage marks the string freeze and the call for translators to submit translations. Provided
... [More]
no major bugs are discovered that can't be solved in the next two weeks, Django 2.2 will be released on or around April 1. Any delays will be communicated on the django-developers mailing list thread.
Please use this opportunity to help find and fix bugs (which should be reported
to the issue tracker). You can grab a copy of the package from
our downloads page or on PyPI.
The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.
[Less]
|