I Use This!
Very High Activity

News

Analyzed 11 days ago. based on code collected 11 days ago.
Posted 3 months ago by Markus Holtermann
Today, Florian Apolloner, a member of the Django security team, discovered and fixed a critical security issue in the new PasswordResetConfirmView that was added to the Django master branch on July 16th, 2016. The view didn't validate the password ... [More] reset token on POST requests and therefore allowed anyone to reset passwords for any user. This issue doesn't affect any released versions of Django. Per our security policy, security issues in master, but not present in any released version, are disclosed and fixed in public without pre-notification. The issue demonstrates the complexity of class-based generic views, and the Django team advises caution when using them for security-sensitive functionality. We'll consider removing the class-based authentication views that are in the master branch, planned for Django 1.11. The discussion for this will take place publicly on the django-developers mailing list. [Less]
Posted 4 months ago by Tim Graham
In accordance with our security release policy, the Django team released Django 1.10.3, Django 1.9.11, and 1.8.16. These releases addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] CVE-2016-9013: User with hardcoded password created when running tests on Oracle When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect. This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker's connection). A randomly generated password is now used for each test run. Thanks Marti Raudsepp for reporting the issue. CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack. While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the django-debug-toolbar, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account. settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values. Thanks Aymeric Augustin for reporting the issue. Security Advisory: Social media fingerprinting Along with the above security issues, we want to inform you about a "social media fingerprinting" information leakage technique that was recently disclosed. If you enable redirect_authenticated_user on the login views, other websites will be able to determine if their visitors are authenticated on your site by requesting redirect URLs to image files on your website. To avoid this, host all images and your favicon on a separate domain that is not part of the ALLOWED_HOSTS. Affected supported versions Django master development branch Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following commits: Master: CVE-2016-9013, CVE-2016-9014 1.10.x: CVE-2016-9013, CVE-2016-9014 1.9.x: CVE-2016-9013, CVE-2016-9014 1.8.x: CVE-2016-9013, CVE-2016-9014 The following new releases have been issued: Django 1.10.3 (download Django 1.10.3 | 1.10.3 checksums) Django 1.9.11 (download Django 1.9.11 | 1.9.11 checksums) Django 1.8.16 (download Django 1.8.16 | 1.8.16 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]
Posted 5 months ago by Frank Wiles
I'm happy to report that the JetBrains/PyCharm promotion we ran in June and July was a rousing success! The final numbers are in and this raised a total of $50,000.00 USD for the Django Software Foundation! JetBrains has been a great partner with us ... [More] on this and on behalf of the community, I would like to extend our deepest thanks for their generous help in raising this money. Together we hope to make this a yearly event! These monies will be used in general to support the DSF, the Django Fellow, and a portion will be used to fund the support for type hints in a future release of Django. This goes a long way to helping the DSF fulfill its mission, but we have not quite reached our stretch goals for the year. Please consider helping to fund Django today. [Less]
Posted 5 months ago by Tim Graham
Today we've issued the 1.10.2 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.
Posted 5 months ago by Tim Graham
In accordance with our security release policy, the Django team is issuing Django 1.9.10 and 1.8.15. These release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2016-7401: CSRF ... [More] protection bypass on a site with Google Analytics An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. Thanks Sergey Bobrov for reporting the issue. Affected supported versions Django 1.9 Django 1.8 Django 1.10 and the master development branch are not affected. Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Resolution Patches to resolve the issue have been applied to Django's 1.9 and 1.8 release branches. The patches may be obtained from the following changesets: On the 1.9 release branch On the 1.8 release branch The following new releases have been issued: Django 1.9.10 (download Django 1.9.10 | 1.9.10 checksums) Django 1.8.15 (download Django 1.8.15 | 1.8.15 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]
Posted 6 months ago by Andrew Godwin
The Django team is pleased to announce that the Channels project is now officially part of the Django project, under our new Official Projects program. Channels is the effort to bring WebSockets, long-poll HTTP, and other non-request-response ... [More] protocol and business logic handling to Django, as part of our ongoing effort to establish what makes a useful web framework in 2016. Official projects, like Channels, do not merge into the core django repository but instead remain as separate repositories and packages, living under the Django organization on GitHub. They have their own release schedule and backwards compatibility policies, but fall under the main Django security policy and oversight, and are guaranteed to work with the currently supported versions of Django. While the Channels project was initially targeted to be included in Django 1.10, it didn't make it for a variety of reasons. We decided that the best move would be to bring it under the Django umbrella, but keep it separate from the core repository, and so DEP 7 and the Official Projects track was born to enable this. DEP 7 describes what it means to maintain a Django package, so we can make sure they stay updated, have security issues patched, and work with current Django releases. Whether Channels continues as a separate package or is merged into the core repository in the future isn't yet decided, but you can expect to see a 1.0 release very soon, and with that, a stable platform to build applications against, though we'll be keeping backwards compatibility (or, if needed, implementing clear deprecation warnings) for code written against existing Channels releases. The five packages now under the Django project are: Channels, the Django integration layer Daphne, the HTTP and Websocket termination server asgiref, the base ASGI library/memory backend asgi_redis, the Redis channel backend asgi_ipc, the POSIX IPC channel backend There's still plenty of work to be done, both on the Channels side, to fix bugs, implement features, and improve our documentation, and on the Django side, to help weave mentions of Channels into the main documentation and make sure people are aware of their options. If you're interested in contributing at all, please read the Channels contribution documentation. If you're interested in learning more about Channels and what it can do, take a read of the documentation, or have a look through some well-commented example projects. [Less]
Posted 6 months ago by Tim Graham
Today we've issued the 1.10.1 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.
Posted 6 months ago by Daniele Procida
Please welcome our new members. Some were nominated in recognition of their contributions to Django's code, some for their service on Django committees and work in other community organisations, and some in recognition of their contributions to the ... [More] development of the international Django community. All were seconded by the existing members of the DSF, and their election approved by the DSF Board. Nominated 10th June Sergey Fedoseev (Russia) Berker Peksag (Turkey) Alasdair Nicol (UK) Jon Dufresne (Canada) Marten Kenbeek (Netherlands) Daniel Wiesmann (Portugal) Alex Hill (Australia) Michal Petrucha (Slovakia) All are active technical contributors to Django's code base, with over 300 commits between them, not to mention the help they have offered to others on our support channels. Jon Dufresne is also the newest member of the Django core development team. Nominated 19th July Paul Hallett (UK) Lucie Daeye (France) Both have made substantial contributions to the Django community, through their work on Django Girls and by taking on roles in Django community organisation. Lucie works for the Django Girls Foundation and Paul serves on the Django Project Code of Conduct committee. Both have worked hard to make the Django community ever more inclusive and good to be part of. Nominated 1st August Helen Sherwood-Taylor (UK) Aisha Bello (Nigeria) Anna Makarudze (Zimbabwe) Humphrey Butau (Zimbabwe) Jessica Upani (Namibia) Loek van Gent (Netherlands) All have been active in the Django community around the world, and were an important part of the success of PyCon Namibia this year. They're all continuing to work on the community's development, and are involved in efforts to bring new community conferences to fruition in Africa (in Zimbabwe and Nigeria just to name two). Expanding our membership The new members represent a substantial increase in the membership, of about 16%. They also represent the way the Django Software Foundation is starting to recognise a more diverse community of people who can contribute in many different ways, and a genuinely global membership, including five more African members. Thanks to those who nominated these new Django Software Foundation members, and thanks to our new members too, for their past, present and future contributions. [Less]
Posted 7 months ago by Tim Graham
The Django team is happy to announce the release of Django 1.10. As always, the release notes cover the panoply of new features in detail, but a few highlights are: Full text search for PostgreSQL. New-style middleware to solve the lack of strict ... [More] request/response layering of the old-style of middleware. Official support for Unicode usernames. You can get Django 1.10 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. Django 1.10 will receive fixes for security issues, data loss bugs, crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for eight months until April 2017. Fixes for security issues and data loss bugs will be provided for another eight months until December 2017. With the release of Django 1.10, Django 1.9 has reached the end of mainstream support. The final minor bugfix release (1.9.9) was issued today. Django 1.9 will receive security and data loss fixes for another eight months until April 2017. See the downloads page for a table of supported versions and the future release schedule. [Less]
Posted 7 months ago by Ola Sitarska
Django: Under the Hood is back for its third edition! DUTH is an annual Django conference that takes place in Amsterdam, the Netherlands. On 3rd - 6th November this year, we're going to see 9 deep dive talks into topics of Django channels, testing ... [More] , Open Source funding, JavaScript, Django forms validation, debugging and many more. Django: Under the Hood also gives the opportunity to bring many Django core developers to work together and shape the future of Django with a group of 300 passionate Django developers attending the conference. This year, the registration process for the conference became a lottery to avoid mad rush and tickets selling out in minutes. Registration You can register now, and the lottery is only open until 26th of July at noon Amsterdam time. If you want to make sure that tickets for your team are reserved and set aside, Django: Under the Hood still has few sponsorship opportunities open. Please get in touch on hello@djangounderthehood.com. [Less]