Security releases issued
In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.
Django 1.8 is now at release candidate stage. This marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.8 final will be issued on or around April 1. Any delays will be communicated on the django-developers mailing list thread.
Mitigated possible XSS attack via user-supplied redirect URLs
However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.
Thanks Daniel Chatfield for reporting the issue.
This issue has been assigned the identifier CVE-2015-2317.
- Django master development branch
- Django 1.8 (currently at release candidate status)
- Django 1.7
- Django 1.6
- Django 1.4 (is_safe_url() issue only)
Per our supported versions policy, Django 1.5 is no longer receiving security updates.
Patches have been applied to Django's master development branch and to the 1.4, 1.6, 1.7, and 1.8 release branches, which resolve the issues described above. The patches may be obtained directly from the following changesets:
On the development master branch:
On the 1.8 release branch:
On the 1.7 release branch:
On the 1.6 release branch:
On the 1.4 release branch:
The following new releases have been issued:
- Django 1.8c1 (download Django 1.8c1 | 1.8c1 checksums)
- Django 1.7.7 (download Django 1.7.7 | 1.7.7 checksums)
- Django 1.6.11 (download Django 1.6.11 | 1.6.11 checksums)
- Django 1.4.20 (download Django 1.4.20 | 1.4.20 checksums)
The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to firstname.lastname@example.org, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.