Downtime incident today
At approximately 11:20 UTC the morning of Saturday, November 9, the Django team was made aware of postings to Twitter from a person who claimed to have obtained unauthorized access to a Django project server. The tweets in question claimed that a server used for continuous integration testing was vulnerable to one of the shellshock family of vulnerabilities, and that a shellshock exploit had been used to obtain access to that server. Included among the tweets were a screenshot claiming to show a login session on the server, and claims that the person who had gained access had been able to access API keys used for repository and testing integration.
The immediate response of the Django team was to take all Django project servers/websites -- including, among others, www.djangoproject.com and code.djangoproject.com -- offline and begin imaging those servers for analysis, to determine whether unauthorized access had in fact occurred and if so by whom and by what means.
Additionally, posts were made, both by the official Django project Twitter account and by individual members of the core team on Twitter and other popular social news/media websites, to inform the community that these sites and services had been taken offline deliberately, and that we were investigating a claim of unauthorized access to a server, and how to securely obtain packaged releases and documentation of Django during the downtime.
Approximately two hours later, our server infrastructure was brought online again.
At this time, it appears that the claim of access was a hoax; we have no evidence of unauthorized access to, or unusual activity on, any Django project server or any services used by the Django project's infrastructure.
As one of the most immediate concerns is the integrity of released packages of Django, manual verification has been performed on the most recent releases, and a selection of historical releases, of Django:
- Packages hosted on djangoproject.com have been verified by use of their published checksums, and the checksums themselves verified by the PGP signatures attached to them.
- Packages hosted on the Python Package Index have been verified by checksums and PGP signatures.
- Releases tagged in Django's primary repository on GitHub are marked using PGP-signed git tags. Tags and their signatures have been verified.
As a result, we are confident these official channels -- packages hosted directly on djangoproject.com, packages hosted on the Python Package Index, and releases obtained by performing git checkouts of the official repository on GitHub -- are uncompromised, and users of Django can continue to install via these means without fear.
We apologize to the community for the interruption of access to our Web sites and services this morning, but given the circumstances we believe that taking the Django project's servers offline to investigate was the correct response. We are incredibly thankful for the supportive and understanding replies we saw from members of the community this morning.
Out of an abundance of caution, we will continue to investigate this incident in the coming days. If we discover any information or evidence which would cause concerns regarding the integrity of the Django project's server infrastructure, code, or releases, we will respond appropriately, including making relevant information available to the Django community to ensure that our users and their Django-based projects remain secure.
We would also like to take this opportunity to post a reminder that the Django team takes the security of Django and its infrastructure seriously, and is committed to responsible handling and disclosure of security issues. If you believe you have discovered a security issue in Django or in the server infrastructure used by the project, our security response team is always reachable via email to security@djangoproject.com. Our full security policies can be reviewed at djangoproject.com/security.
Back to Top