Django

In accordance with our security release policy, the Django team is issuing Django 1.11.22, Django 2.1.10, and Django 2.2.3. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] Thanks Gavin Wahl for reporting this issue. CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT. HttpRequest.scheme now respects SECURE_PROXY_SSL_HEADER, if it is configured, and the appropriate header is set on the request, for both HTTP and HTTPS requests. If you deploy Django behind a reverse-proxy that forwards HTTP requests, and that connects to Django via HTTPS, be sure to verify that your application correctly handles code paths relying on scheme, is_secure(), build_absolute_uri(), and SECURE_SSL_REDIRECT. Affected supported versions Django master development branch Django 2.2 before version 2.2.3 Django 2.1 before version 2.1.10 Django 1.11 before version 1.11.22 Resolution Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch On the 2.2 release branch On the 2.1 release branch On the 1.11 release branch The following releases have been issued: Django 1.11.22 (download Django 1.11.22 | 1.11.22 checksums) Django 2.1.10 (download Django 2.1.10 | 2.1.10 checksums) Django 2.2.3 (download Django 2.2.3 | 2.2.3 checksums) The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information. [Less]

In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] CVE-2019-12308: AdminURLFieldWidget XSS The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides. Affected versions Django master development branch Django 2.2 before version 2.2.2 Django 2.1 before version 2.1.9 Django 1.11 before version 1.11.21 Patched bundled jQuery for CVE-2019-11358: Prototype pollution jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend(). Affected versions Django master development branch Django 2.2 before version 2.2.2 Django 2.1 before version 2.1.9 Resolution Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch: Admin XSS jQuery prototype pollution On the 2.2 release branch: Admin XSS jQuery prototype pollution On the 2.1 release branch: Admin XSS jQuery prototype pollution On the 1.11 release branch: Admin XSS The following releases have been issued: Django 1.11.21 (download Django 1.11.21 | 1.11.21 checksums) Django 2.1.9 (download Django 2.1.9 | 2.1.9 checksums) Django 2.2.2 (download Django 2.2.2 | 2.2.2 checksums) The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation's Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release ... [More] branches. In this blog post, the teams want to outline the course of events. Impact The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker. Timeline On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django's Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code. At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC. At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach. At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case. At 15:44 UTC, Jenkins started running tests against GitHub pull requests again. At 16:00 UTC, the Operations team discussed the necessity of revoking various Let's Encrypt certificates or keys. However, since there was no indication that either the account or the certificate's private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let's Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server. At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected] or HackerOne, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

Today we've issued the 2.2.1 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

Do you want to get paid to contribute to Django, while learning more about the framework and language? Great: I’m looking for an intern to implement a new feature here on djangoproject.com. You’ll do the work, you’ll get paid, and I’ll be there to ... [More] support you. The feature in question is the DSF membership app -- a tool to gather nominations, comment and vote on applicants, and track membership. You can read more about the app in the call for proposals. With my guidance, you’ll implement the feature yourself, learning about Django and the djangoproject.com site as you go. When you’re done, you’ll have helped streamline the DSF’s operations and leveled up technically. To apply: fill out this form. Applications close May 10th at 4pm ET. For more details, read on. In this role, you will: Learn how the djangoproject.com app works and familiarize yourself with the code. Implement this new feature yourself, using Python/Django. I’ll provide guidance, review your pull requests, and implement small pieces myself if you get stuck and want help. Work with me and the DSF Board to test, gather feedback, and iterate on the feature. Meet with me weekly (or more frequently, if you like) to discuss the project, talk through feedback, ask questions, etc. This is a role intended for someone fairly new to Django development. It’s suitable for most beginners with a bit of Django experience. Required qualifications: You should already know Python at an “advanced beginner” level -- e.g. have worked through a tutorial or book on the language, and successfully written some code before. You should have written at least one Django site before (a small one is fine), or participated as part of a larger team developing one. If you have equivalent experience in a similar Python web framework (e.g. Flask), that’s OK too. Priority will be given to applicants who have not contributed code to Django or a major third-party app before, and want to get involved in a more meaningful way. This position is remote and is open to anyone anywhere in the world. (Though, you must be able to legally accept money from the United States to be paid.) Timeline: We’ve budgeted for 4 weeks of work, at roughly 20-30 hours per week, with an extra 2 weeks if needed to incorporate feedback from the DSF. A longer timeline is fine if you need to fit a different schedule. Payment: $5,000, with an additional $1,500 if the extra work is needed. This may be flexible: if you need more money to make this viable for you, please note that fact in the application. All the money will go to you; I’m volunteering my time. To apply: fill out this form. Applications close May 10th at 4pm ET. Qualified applicants should expect to complete a short coding exercise in Python (less than an hour), and to have an hour-long interview with me (questions will be provided ahead of time). All applicants should expect to hear back by May 31st. [Less]

The Django team is happy to announce the release of Django 2.2. This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also ... [More] receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019. As always, the release notes cover the salmagundi of new features in detail, but a few highlights are: HttpRequest.headers to allow simple access to a request’s headers. Database-level constraints on models. Watchman compatibility for runserver to improve the performance of watching a large number of files for changes. You can get Django 2.2 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00. With the release of Django 2.2, Django 2.1 has reached the end of mainstream support. The final minor bug fix release, 2.1.8, was issued today. Django 2.1 will receive security and data loss fixes until December 2019. All users are encouraged to upgrade before then to continue receiving fixes for security issues. See the downloads page for a table of supported versions and the future release schedule. [Less]

Today we've issued the 2.1.8 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

We are pleased to announce that the DjangoCon US 2019 conference will return to San Diego, California, from September 22-27, 2019! September 22: Tutorials (Paid) September 23-25: Talks September 26-27: Sprints We have a lot of amazing things ... [More] planned that we’ll be announcing over the next few months. Until then, here’s what you can do to help! Mark your calendars and help us spread the word! Buy your tickets today. We sold out last year, so be sure to take advantage of our early bird prices! Book your hotel room and sign up for a room share/ride share if you’re interested. Start thinking about topics to submit when our Call for Proposals opens on April 1. Follow us on @DjangoCon and @defnado on Twitter. Sponsor the event! Want to help by becoming an organizer? Start working on those proposals, and we hope we’ll see you at DjangoCon US 2019! [Less]

The Board of the Django Software Foundation is pleased to announce that the 2018 Malcolm Tredinnick Memorial Prize has been awarded to Kojo Idrissa. Kojo has been active in the Django community since at least 2015, if not earlier. He's been a ... [More] DjangoCon US organizer since 2016, former DEFNA board member, and current DEFNA North American Ambassador. Kojo has hosted an orientation for first-time DjangoCon US attendees for the last several years, which could not be a better example of Malcolm's friendly spirit to new users. Ken Whitesell, who nominated Kojo, also noted many Kojo's other contributions: Kojo is a very active member of the weekly CodeNewbie chats. Hosts the DjangoCon new-user orientation session. Very visible presence at DjangoCon, always seems to be focused on ensuring first time attendees have the best possible experience. The other nominees this year were: Anna Makarudze Daniel Joey Darko Humphrey Butau Jani Tiainen Jeff Triplett Kenneth Love Simon Charette Every year we receive many nominations and it's always hard to pick the winner. In fact, some have been nominated in multiple years. Malcolm would be very proud of the legacy he has fostered in our community! Congratulations Kojo on the well deserved honor! [Less]

Django 2.2 release candidate 1 is the final opportunity for you to try out the salmagundi of new features before Django 2.2 is released. The release candidate stage marks the string freeze and the call for translators to submit translations. Provided ... [More] no major bugs are discovered that can't be solved in the next two weeks, Django 2.2 will be released on or around April 1. Any delays will be communicated on the django-developers mailing list thread. Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00. [Less]