Django has a 0-day security vulnerability. It’s time to upgrade:
Security updates released
Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.
Description of vulnerability
Django’s forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Any Django application making use of EmailField or URLField in the following versions is vulnerable:
- Django development trunk
- Django 1.1
- Django 1.0
Django 1.0 Template Development, published by Packt, is a book that focuses on the templates portions of Django. Django is a popular Python web framework. Django models are easy to build but I always found the templates rather hard to understand.
Chapter 1, 2 and 3 gives an overview of how Django views work together. If you’re a developer, you shouldn’t skip that. I found myself understanding the Django MVC architecture better. (I come from a CakePHP background.) The author (Scott Newman) also did a good job introducing custom filters in Chapter 7. It’s something I haven’t explored till I read the book. There is also a chapter dedicated to pagination, also a must read.
The book is 272 pages, not too long. If you’re looking to improve your understanding on templates, this could be a good companion. I should also stress that the book is well organized. You can skip through the chapters and go straight to what you need without missing out much.
A company, Vyper Logix Corp, has released Django 2.0 without the blessings of the Django Software Foundation. According to James Bennett, the software is built on the Django 0.96.2 codebase which includes a critical bug.
Who would have thought opensource projects could be ripped off that blatantly. Django is a registered trademark of the Django Software Foundation, perhaps a warning could be issued. There’s really no point wasting time and resources pursuing this incident.
The man behind Django 2.0 is Ray Horn whose public LinkedIn profile can be viewed here. He owns a patent, a Python blog where he blogs as “Guido Python” and wrote some dubious Python software. (Guido van Rossum, by the way, is the Python’s Benevolent Dictator For Life.)
In the LinkedIn profile, he claims to be:
- Supporting around over 2 million lines of Python codes.
It appears it is not the first time, he did something like this. He has been criticized for taking BlogCFC, rebranding and releasing it for profit.
I am unsure if he did anything wrong here. He probably didn’t as the license might have allowed him to alter the software for commercial purposes so it is attributed back to the author. (I am not expert in software licenses.) But what he did here violates commonsense software ethics because there weren’t significant change from the opensource version. It just start to get me thinking – how to stop such activities. At the end of the day, it’s up to buyers to decide if they are willing to trust the Ray Horn brand or not.
The Django Book is now going second edition. It’s in the writing process and not much has been written yet.
The Django Book is one of the more interesting initiatives where the public can contribute comments to the contents of the book before it is published. It’s a great way to discover errata and fix sections which are ambiguous. Books are usually written be experts and there are times they don’t see the difficulty the same way the readers do. Ultimate, The Django Book is aimed for beginners.
As of now, 3 chapters are written.
- @skeevs Django is cool! #
Oh something to play with for next week. It’s moving closer to 1.0 already. 1.0 should be out on September. (Source: DjangoProject)
Okay, Django 1.0 alpha has been released finally. I don’t have the time to test this out but I played around with some pre 1.0 alpha builds a couple of weeks back and that time the software was quite stable already.
Django 1.0 alpha released!
In accordance with the Django 1.0 release roadmap, tonight we’ve released the first “alpha” testing version of Django 1.0. This release includes all of the major features due for inclusion in the final Django 1.0, though some lower-priority items are still scheduled to be included before the 1.0 feature freeze, which will occur with the first beta release next month.
The next step on that path will be the first Django 1.0 beta release, currently scheduled for August 5. If you’d like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0; the full schedule is available in the Django 1.0 release roadmap.
Now when would CakePHP 1.2 be released?
Jacob Kaplan-Moss discusses on Django 1.0 roadmap and schedule. Some key notes includes:
- 1.0 took long due to many features due to be included, notably newforms admin and a 100% WSGI-compliant Django.
- Django 1.0 will be released in early September. Starts with an alpha, two betas, a final finally killing of with a huge party.
And now for the dates:
- July 10-12: “newforms-admin” sprint in person at EuroPython and around the world in IRC.
- July 20: 1.0 alpha
- August 5: 1.0 beta 1
- August 12: 1.0 beta 2
- August 19: 1.0 rc 1
- August 26: Earliest possible 1.0 release date, or perhaps rc2.
- September 2: 1.0
Read the full entry here.
Looks like Django is on track for 1.0. This is encouraging.