ANN: Critical security updates to Django 1.0 and Django 1.1
James Bennett
issue. This issue was disclosed publicly by a third party on a high-traffic
mailing list, and attempts have been made to exploit it against live Django
installations; as such, we are bypassing our normal policy for security
disclosure [1] and proceeding with immediate release of patches and updated
releases.
Full information is available on the Django project weblog:
http://www.djangoproject.com/weblog/2009/oct/09/security/
This issue has been fixed in Django's development trunk, and we've released
the following new versions of Django to address this issue:
* Django 1.1.1.
* Django 1.0.4.
These releases are available on our download page [2] and on PyPI [3].
This issue has seen active exploits in the wild. All users of affected version
of Django are strongly encouraged to upgrade of apply the appropriate patch
immediately.
As mentioned above, this issue was initially disclosed publicly on a
high-traffic mailing list. We'd like to remind our users that the correct
channel for security reports is to send them to <secu...@djangoproject.com>.
This allows the development team time to develop a solution and coordinate
disclosure, both to the Django community as a whole and to the numerous third
parties who maintain and distribute packaged versions of Django.
When debating whether a particular issue impacts security, we ask that you err
on the side of caution and always contact <secu...@djangoproject.com>; we
will be more than happy to work with you in analyzing and assessing potential
security issues.
[1] http://docs.djangoproject.com/en/dev/internals/contributing/#id2
[2] http://www.djangoproject.com/download/
[3] http://pypi.python.org/pypi/Django
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."