Weblog

September archive

Django 1.3 release schedule

September 30, 2010

Django 1.2 has been in the wild for a couple of months, and we've had plenty of time to talk about what we want to see in Django 1.3. That means it's time to pick features and nominate some deadlines.

From the feedback from DjangoCon, and from conversations on the mailing lists and IRC, it's fairly clear that people are happy with the new features that have been added with Django 1.1 and 1.2. However, there is also concern about the growing backlog of bugs and minor feature requests that have accrued while we work on these big features.

For this reason, Django 1.3 is going to be light on big new features, and heavy on bugfixes and little features. We'll still have a couple of big features -- most likely those features that have missed previous release, such as logging and class-based generic views. However, for the bulk of the release, we're going to try and focus on getting the open ticket count down.

Here's the release schedule:

  • October 18, 2010 -- Django 1.3 alpha; major feature freeze
  • November 29, 2010 -- Django 1.3 beta; complete feature freeze
  • January 10, 2011 -- Django 1.3 RC1; translation string freeze
  • January 17, 2011 -- Django 1.3 final

Full details, an explanation of the schedule, and suggestions on how to help out can be found in the 1.3 Roadmap.

So dig in! There's plenty of work to do, and the more volunteers we have, the better Django 1.3 will be!

Django 1.2.3 released

September 10, 2010

Today the Django team has released Django 1.2.3, which remedies several issues with the recent 1.2.2 package.

This package corrects the following problems:

  • The patch applied for the security issue covered in Django 1.2.2 caused issues with non-ASCII responses using CSRF tokens. This has been remedied.
  • The patch also caused issues with some forms, most notably the user-editing forms in the Django administrative interface. This has been remedied.
  • The packaging manifest did not contain the full list of required files. This has been remedied.

All users of Django are encouraged to upgrade to Django 1.2.3 immediately; the 1.2.3 package can be obtained from the Django downloads page, and as always signed checksums for the package are available.

Security release issued

September 8, 2010

Today the Django team is issuing a new release -- Django 1.2.2 -- to remedy a security issue reported to us. This issue was disclosed independently by two different parties, and all users of Django 1.2 are urged to upgrade immediately.

Description of issue

As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance; while being triaged it was then independently reported, with broader description, by Jeff Balogh of Mozilla.

Affected versions

  • Django development trunk
  • Django 1.2

Because the current CSRF-protection system is new as of Django 1.2, older releases are unaffected.

Resolution

Patches have been applied to Django trunk and to the 1.2 release branch to ensure the cookie value is never trusted and is always escaped. Future Django releases may migrate away from the use of a dedicated cookie to avoid the possibility of such issues.

Patches may be obtained directly from the appropriate changesets:

The following release has been issued:

General notes regarding security

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list.

Due to the time-sensitive nature of this issue, our normal process of advance notification of distributors of Django was not followed; notification to distributors was sent just prior to issuance of this release. If you are or represent a third-party distributor of Django and did not receive a notification email from the Django release manager, please contact james@b-list.org.