Django

On behalf of the everyone who benefits from the Django Project, the DSF would like to thank the organisers of DjangoCon Europe 2018 for the oustanding efforts they made to ensure that the event was a success for the whole community. The organising ... [More] team, and above all Raphael Michel and Tobias Kunze, who led the event every step of the way from the moment it was first proposed a year ago, gave us a DjangoCon that could not have been bettered. It's important to remember that all the organisers were unpaid volunteers, who gave their time and energy freely and with generosity. During the event they were assisted by other volunteers, who performed a valuable role taking care of conference necessities such as networking and video recording. As we have now come to expect from a DjangoCon Europe, the venue was an ideal setting (the beautiful Stadthalle on the Neckar), the catering and hospitality were of a very high standard and the conference programme met every requirement for a keystone event. We're especially grateful for the unstinting and thoughtful care that was put into all the small details of the conference, and which helped guarantee it was going to be a DjangoCon that everyone could remember for the right reasons. We are proud to have our community represented by events of this kind. The next DjangoCons in Europe The DSF Board is considering bids for DjangoCon Europe 2019-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible. [Less]

Today we've issued the 2.0.6 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

Django 2.1 alpha 1 is now available. It represents the first stage in the 2.1 release cycle and is an opportunity for you to try out the changes coming in Django 2.1. Django 2.1 has a smorgasbord of new features which you can read about in the ... [More] in-development 2.1 release notes. This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list. As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]

Each year, a new volunteer team in the European Django community plans, organises and hosts a DjangoCon Europe. Hosting a DjangoCon is an ambitious undertaking. It's hard work, but each year it has been successfully run by a team of community ... [More] volunteers, not all of whom have had previous experience - more important is enthusiasm, organisational skills, the ability to plan and manage budgets, time and people - and plenty of time to invest in the project. You'll find plenty of support on offer from previous DjangoCon organisers, so you won't be on your own. How to apply If you're interested, we'd love to hear from you. If you're ready to submit a proposal If you're ready to submit a proposal, please do so. The more detailed and complete your proposal, the better. Things you should consider, and that we'd like to know about, are: dates numbers of attendees venue(s) accommodation transport links budgets and ticket prices committee members We'd like to see (if you have these already): timelines pictures prices draft agreements with providers alternatives you have considered They will all help show that your plans are serious and thorough, and that you have the organisational capacity to make it a success. Find out and tell us more. If you're thinking about it If you're still considering the feasibility, don't hesitate to get in touch with us to discuss your ideas. We can help in numerous ways, including by putting you in touch with others who'd like to be involved. Just drop us a line. [Less]

In case you missed the news, DjangoCon US 2018 will take place in sunny San Diego, California, from October 14-19, 2018! We’re pleased to announce the following items. Early Bird Tickets On Sale Early bird tickets are on sale now! You can also ... [More] pre-register for tutorials and register for (free!) sprints. If you need to buy several tickets and assign them to your employees later, check out the Corporate Concierge Service. Early bird tickets are gone when they’re gone, so don’t wait to get yours. Call for Proposals (CFP) Our CFP for talks and tutorials is now open! The deadline for submissions is June 3, 2018. We’re looking for speakers of all experience levels and backgrounds. Talk and tutorial presenters also receive free admission to DjangoCon US. Financial Aid Application Grants to assist with travel and lodging expenses are available as well. Our Financial Aid application is also now open. The deadline is June 3, 2018. You can still sponsor! We have some great sponsorship opportunities available and plenty of room for your organization. Take a look at our sponsorship opportunities or email us at [email protected] so we can craft a special package for you. See you in San Diego! [Less]

Today we've issued the 2.0.5 and 1.11.13 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

Today we've issued the 2.0.4 and 1.11.12 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

In accordance with our security release policy, the Django team is issuing Django 1.8.19, Django 1.11.11 and Django 2.0.3. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (one regular expression for Django 1.8). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. Thanks James Davis for reporting this issue. CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. Thanks James Davis for reporting this issue. Affected supported versions Django master branch Django 2.0 Django 1.11 Django 1.8 Per our supported versions policy, Django 1.10, 1.9, and Django 1.7 and older are no longer supported. Resolution Patches to resolve the issue have been applied to Django's master branch and the 2.0, 1.11, and 1.8 release branches. The patches may be obtained from the following changesets: On the development master branch: urlize truncate On the 2.0 release branch: urlize truncate On the 1.11 release branch: urlize truncate On the 1.8 release branch: urlize truncate The following releases have been issued: Django 1.8.19 (download Django 1.8.19 | 1.8.19 checksums) Django 1.11.11 (download Django 1.11.11 | 1.11.11 checksums) Django 2.0.3 (download Django 2.0.3 | 2.0.3 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

In accordance with our security release policy, the Django team is issuing Django 1.11.10 and Django 2.0.2. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2018-6188: ... [More] Information leakage in AuthenticationForm A regression in Django 1.11.8 made django.contrib.auth.forms.AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn't overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked. Thanks Jack Cushman for reporting this issue. Affected supported versions Django master branch Django 2.0 and 2.0.1 Django 1.11.8 and 1.11.9 Per our supported versions policy, Django 1.10 and 1.9 are no longer supported (but aren't affected). Django 1.8 LTS (for which security support ends on April 1) is unaffected. Resolution Patches to resolve the issue have been applied to Django's master branch and the 2.0 and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch On the 2.0 release branch On the 1.11 release branch The following releases have been issued: Django 1.11.10 (download Django 1.11.10 | 1.11.10 checksums) Django 2.0.2 (download Django 2.0.2 | 2.0.2 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]

The Board of the Django Software Foundation is pleased to announce that the 2017 Malcolm Tredinnick Memorial Prize has been awarded to Claude Paroz. Claude has been a contributor to Django since 2012. He was selected for the prize by the board from ... [More] amongst the nominees on the basis of his long-term, consistent contribution. Claude has given service to Django though code and also by enabling others to contribute effectively. His work represents a less-visible but essential aspect of contribution to Django. It's not the kind of work that will be publicly applauded at a conference, or stand out as news, but it's of enormous importance to the project. Claude is owed a debt of thanks for it. Tim Graham wrote in his nomination: I nominate Claude Paroz for five years of tireless and unheralded contributions to Django, including shepherding the GeoDjango project and serving as the Django translations manager. He's the primary answering authority on the geodjango and django-i18n mailing lists. While his contributing began in 2012, Claude is the most active volunteer contributor based on number of commits since 2008. He regularly offers his expertise by triaging tickets and reviewing pull requests. If I ask Claude for some advice in an area of Django in which I'm less versed, his responses are quick, respectful, and helpful. Several other people were also nominated for this prize. The Malcom Tredinnick prize could once again have deservedly been awarded several times over. It is an enduring pleasure to observe that there is no shortage of members of our community who, like Claude, exemplify the spirit of generosity and support that the prize celebrates. The other nominees were: Ifunanya Ikemma, for her work teaching and encouraging women in to programming, through PyLadies and Django Girls in Nigeria Katie McLaughlin, for her work in open source projects as a contributor and mentor Melanie Crutchfield, for her work with PyLadies and Django Girls Jeff Triplett, for his huge contribution to the running of DjangoCon US, and the consistently warm, supportive attitude he brings to this and to his other work in the world of Django Veronica Munro, for her work organising Django Girls events in Australia Lacey Williams Henschel, for her work in DjangoCon US (including her magnificent work as the 2017 conference chair), and helping to build the Django community in the US Tim Graham, for being an ever-responsive and valuable point of technical contact for Django. Many congratulations to Claude, and our sincere thanks to all the nominees for their continued work in Django. Thanks are also due to all who took the trouble to nominate someone. [Less]